It is our duty to ensure that personal information is kept safe and secure, and only shared with those who have a legitimate reason to receive it. When information is in transit between individuals or information systems it is at risk of loss, damage, theft and inappropriate or accidental disclosure.
This section sets out guidance on what to do in Merton when transferring information about identifiable individuals. However,
this guidance does not override the information governance procedures of individual organisations. Agencies should consult their own local procedures – guided by their own professional code of conduct. (Merton Council colleagues can read more on the
Merton Council Information Governance Intranet page.)
Information Sharing in preceding section.)
Summary Flow chart of all Electronic Secure Exchange options, see Appendix 7.
Disclosing information by telephone
- Always ask the caller to confirm their name, address and other identifying information. Be sure you know who you are talking to.
- If you don’t know the caller be careful about disclosing information. If they are calling from another organisation you should call them back through their organisation's published switchboard number. Do not disclose information when a return telephone number cannot be supplied.
- Only provide the information to the person who has requested it. If they are not there you should leave a message for them to call you back.
- If the fact that someone has contacted your service is confidential, do not leave a message with someone else or on a voicemail unless you have their permission to do so.
- Be aware of who might overhear your call.
- Keep a record of any confidential information disclosed during the call.
Sharing confidential information by Fax
- Paper documents are often sent by fax. Precautions must be taken when sending information by fax because the receiving machine may be sited in an open office, meaning the document is visible to other staff, contractors or visitors.
- Telephone the recipient of the fax to let them know you are about to send it.
- Check the fax number. If the information is confidential ask them to wait by the fax.
- Consider asking the recipient to confirm receipt of the fax; or call them to ensure the fax has arrived.
- Use pre programmed fax numbers where possible to reduce the chance of the fax being sent to the wrong machine.
- Ensure that you use an appropriate fax cover sheet.
- Keep a record that you have sent the fax.
Receiving confidential information by Fax
- If the information is not for you, either pass it to the proper recipient or inform the sender. Do not ignore it.
- Consider the location of your fax machine. Is it in a secure environment?
- If your fax machine is not in a secure environment or you receive faxes outside office hours, you should consider a 'fax to email' solution.
Sharing personal information by regular email - using encryption or password protection
Huge amounts of information are sent by email, within and across agencies. Whilst internal messages are reasonably secure (e.g. within the council, within schools London Grid for Learning system; or within health services secure platforms), those sent to addresses external to these internally-secure-systems by regular email are not considered secure enough for confidential information exchange. Confidential information must be sent by other methods - several options follow below.
- Ensure all recipients need to receive the information. Think twice before responding to a group email or copying others in.
- Mark the message 'confidential'.
Do not include confidential information in the Subject field.
- If you have to send a document containing personal information to an external recipient, use a
password protected file (click this link to Appendix 1 for suggested guide). Further, when this information is confidential,
encryption should be used. One option is to use
WinZip (click this link to Appendix 2 for some guidance on using WinZip for encryption), but consult your own agency for further guidance, or other options, as well.
Remember to use a different password to anything you may use for other tasks because you will have to share the password when you disclose the document.
Always save the version of the document that requires a password as a new file and retain the original safely.
IT Services will not be able to open password protected or encrypted documents without the password. Passwords and encryption are not necessary for information shared between those within a secure platform (e.g. within the council, within health, within the police: further in
Secure Email below)
Do not send the password by the same email. Either send by separate email, or preferably use the telephone, making sure you know who is receiving the information.
- For regular transmissions, it is recommended that passwords are changed at least every three months.
- Record what information has been sent
After receiving a password protected file, reverse the 'password protection' status, and then rename the document and proceed to save as appropriate for your service. Alternatively, if saving as a password protected version, include the password itself in the new name and then save within your own in-house secure system as above.
Do not rely on remembering the password.
Sharing information by secure email
What is secure email?
When a regular email is sent between different organisations it is transmitted over the Internet. This means that the contents of that email are not particularly secure. Email can be intercepted or misdirected, either by accident or for criminal purposes.
While the risk of interception is quite low – (an estimate places the number of emails sent daily globally at hundreds-of-billions) – the public do expect us to keep sensitive personal information confidential. They also expect us to protect information which identifies large numbers of people. Therefore a secure email facility should be used to share information identifying large numbers of people as well as sensitive or confidential information about a single individual.
Secure email involves sending information to trusted partners through a network of secure, encrypted servers. The secure email facility encrypts the contents of an email when it is sent. This encryption ensures that the email, if intercepted, will be unreadable. Once the email reaches its secure destination it will be decrypted so that the intended recipient can read it.
When should I use secure email?
An email sent
within large organisations such as NHS, Police, Central Government, the court service or within a particular local authority is secure because it stays within that network’s firewalled security system. So an email sent from email@example.com to firstname.lastname@example.org is secure; similarly when shared between email@example.com and firstname.lastname@example.org an email will be secure.
across SOME of these platforms is secure – such as for NHS, Police and Central Government who are all part of the
Governments Secure Community. Thus email@example.com can securely exchange with firstname.lastname@example.org .
But sharing between any of those above within that Government Secure Community platform with a local authority colleague, such as email@example.com sharing with firstname.lastname@example.org, is not secure because the bridge between these separate secure platforms is through the internet which is not itself secure.
Similarly schools merton.sch.uk addresses within the schools platform do not allow for secure exchange with merton.gov.uk addresses.
And so, alternative options to support all such secure exchange are described next.
Secure email options for partner agencies with Merton Council
a) Merton Council Guest Webmail Accounts:
A number of
Merton Commissioned Services have been provided with
@merton.gov.uk accounts to allow for secure exchange of sensitive personal information with Merton Council services. This also allows those services to avail of
CJSM facility described in b) immediately below
email@example.com list of voluntary agencies who hold such guest Merton email accounts. Appendix 3 from attached link provides
Sign-Up and Usage Guidance.
This a) option which uses Outlook Web Access (OWA) rather than a Merton network logon account is accessed via:
www.merton.gov.uk/webmail. It requires the user to have been provided with a Merton token, as well as unique User Name and Password, for access. (Cut and paste link-addresses into URL if clicking doesn't activate.)
Otherwise use alternative option, such as those outlined elsewhere in this section.
CJSM (Criminal Justice Secure Mail)
CJSM is a facility provided by the Criminal Justice IT system (CJIT) which allows for secure exchange between local authorities, health and police as well as some Third Sector organisations within this Government Secure Community platform.
In Merton anyone who has an
@merton.gov.ukaddress has been automatically signed up to the secure CJSM system. (Please note this automatic association between LA address and CJSM address does not necessarily apply to other local authorities). This allows secure email sharing within relevant secure partner networks e.g. with health (using their @nhs.net address ONLY,
NOT the local nhs.uk addresses); or with police’s @met.pnn.police.uk address, by the simple process of their adding
.cjsm.net to existing @merton.gov.uk email addresses (e.g. firstname.lastname@example.org ) ; and vice versa to @nhs.net.cjsm.net.
See further detail, including tables summarizing cross-agency suffixes, on CJSM Usage provided as
Guidance is also provided in
Appendix 5 on how other organisations MAY be able to independently join the CJSM system using web access.
c) GCSx (Government Connect Secure Extranet)
GCSx is a secure, private, Wide Area Network (WAN) that forms part of the Government Secure Intranet (GSi) – a collective term used for the various Government networks that are connected together by the Public Sector Interconnect (PSI) – including CJSM in b) above. All local authorities in England and Wales currently have option to be connected to GCSx, allowing the potential for secure exchange with each other, with central government departments or any other GSi organisations.
This service is suitable for messages to and from other bodies connected to GCSx - generally restricted to central government departments and local authorities.You will need to check that the person to whom you want to send messages has a GCSx connection.
You will first of all need to get a special mail account set up for yourself. To do this within Merton Council, you need to register (internally, on Intranet) with HR via http://intranet/baseline-personnel-security-standard, while simultaneously raising a Service Request with IT on http://msapp13/sw/selfservice/portal.php . HR will carry out some checks before staff can have the account, and there are some restrictions on its use. The GCSx email address takes the form
email@example.com once set-up will be added to your Outlook as a separate account so that you can see your GCSx secure communications in a dedicated Inbox.
Further general information from www.gsi.gov.uk/cross-net.htm or
Sharing information via Secure Document Exchange Portal
d) USO-FX (Unique Sign On File Exchange) within London Grid for Learning (LGfL) system
LGfL is a consortium of the 2500 London schools in London’s 33 Local Authorities. The LGfL IT platform offers a secure method by which sensitive data can be transferred between Merton Council and Merton schools: it's
USO-FX (Unique Sign On File Exchange) facility provides a mechanism for online electronic document transfers in a secure (encrypted) manner. Instead of sending the message directly to the recipient, it is stored securely on the LGfL server. The recipient receives a message telling them there is an email message with attachment waiting for them which they must log in to retrieve. All documents uploaded into the transfer system via the USO account tracks the identity of both the sender and the recipient.
At the point when a document is uploaded, an ‘announce’ email is sent to every intended recipient as notification that a new file has been made available. Upon viewing, retrieval or ‘deletion’ by the intended recipient, an entry in the audit trail will confirm the action to the initial provider, who can then determine the status of the file’s circulation and the point at which the file is actually ‘deleted’ at source.
All schools staff automatically have a log-in to USO-FX, which in Merton take the format
iSecondname.315. All Merton staff and partner agencies also can be set up to similarly log-in to this portal (subject to agreed checks) and thus allow for secure exchange between schools, partner agencies and council staff by this medium. Currently all Children's Social Care staff have been included on the LGfL Directory to facilitate use of this medium for secure exchange between Children's Social Care and schools colleagues.
For sign-up contact firstname.lastname@example.org
Guidance on USO-FX Usage from Appendix 6.
Further general information, see
https://support.lgfl.org.uk/public/docs/lgfl_services/SF_USO-FX.pdf or www.lgfl.net.
Proofpoint is a service which allows emails to be sent securely to people outside the council who are not on GCSx, CJSM or LGfL systems, or who are not holders of guest Merton Council addresses.
Proofpoint is a software tool which will encrypt outgoing emails from @merton.gov.uk account holders. The system in Merton has been set up so that all the sender needs to do is say on the Subject line that they want the message to be encrypted by putting
[Encrypt] at the start of the Subject line.
Similarly to LGfL above, Instead of sending the message directly to the recipient, the message in this case is securely stored on Merton’s server. The recipient then similarly receives an email alert telling them there is a message which they must log in to retrieve.
Though this service has been set up primarily to support secure exchange FROM Merton council to other agencies, external agencies can use this system also BUT will have to be sent a test message securely to allow them to use it’s 'Reply' facility once they’ve logged in and set a password first.
Further guidance from Merton Intranet at http://intranet/proofpoint or more general information from www.proofpoint.com/id/gartner-email-security-magic-quadrant/index.php?id=6
Summary Flow chart of all Electronic Secure Exchange options, see Appendix 7.
Sharing information by post
Posting documents is sometimes the only way to securely exchange documentation. Registered post is also the best way to send confidential data on an encrypted CD. Different levels of security can be used depending on the information being sent
- Consider sending the package as registered or 'signed for' delivery or by courier if confidential.
- Reliable transport couriers should be used at all times. Consult with your Post Room.
- Confidential information sent electronically must be protected by
- Packaging must be adequate to protect the contents from damage during transit.
- Ensure that you have the correct name and address. Sending material that is only addressed to an organisation is no guarantee that it will reach the intended recipient.
- Where appropriate, mark the envelope ‘Addressee Only’.
- This envelope may now be placed inside a larger envelope with only the correct name and address on it. This adds an additional level of security as the package is not easily identifiable as ‘valuable’ and administrative staff should only open the outer envelope.
- Ask the recipient to confirm receipt.
- Record the disclosure.
Sharing information in person
Confidential information may be delivered personally by members of staff. Such information may be held in paper or electronic form. Where electronic devices are used precautions must be taken to ensure the security of your agency’s IT systems as well as any data held on the device itself.
- Personal information should only be taken off site where necessary, either in accordance with local policy or with the agreement of your line manager.
- Log any confidential information you are taking off site and the reason why.
- Paper based information must be transported in a sealed file or envelope. For Merton council arrangements, see Transporting paper-based Information on Merton Intranet.
- Electronic information must be protected by appropriate electronic security measures –
password protection or
- If transferring information by car, put the information in the boot and lock it.
- Ensure the information is returned back on site as soon as possible.
- Record that the information has been returned.
Smart Phones, Memory Sticks, CDs and other removable media and mobile devices
Mobile Devices include Blackberry, iPads, tablets, smartphones,mobiles, and other gadgets. Removable electronic storage media include CD or DVD, memory stick and even floppy discs. These devices and media are particularly vulnerable to loss or theft. Any confidential information on them must be protected by 256 bit AES Encryption in accordance with local policy. See
WinZip guidance above as one option. General guidance may be found at
Additionally, the following principles must be followed when using removable media
- The information must be backed up automatically, so that if the device is lost a risk assessment will facilitate appropriate follow-up action
- Any loss must be reported immediately
- Information must be securely deleted after use. It is not acceptable to carry confidential information on a mobile device or memory stick any longer than necessary. CD’s or DVD’s should be broken before disposal.