Do you use email to share sensitive data? While email is one of the most efficient and prevalent forms of communication today, it brings with it the risk of privacy breaches when sharing sensitive data, such as personally identifiable information (PII) or personal health records.

A blog post from the Information and Privacy Commissioner of Ontario (IPC) explains how misdirected emails are a common source of privacy breaches due to unauthorized disclosure of personal information. Some common mistakes include emails sent to an unintended recipient or a group of recipients without using the blind carbon copy (BCC) function. Everyone who sends emails can make these mistakes, but they are preventable with a few simple steps.

• Stop and double check the details of your email before sending. Ensure that you have the correct recipient. Always consider whether you need to BCC and do so when appropriate.

• If the email has an attachment that contains personal information, make sure to encrypt the attachment using a password that you can provide to the recipient by phone. If possible, also restrict who can open the file. For example, if sharing a file using OneDrive, adjust the settings so that only the intended recipient can open the attachment.

The University of Toronto community works with many kinds of data, ranging from publicly available website material to confidential research material. This makes the University a target for various forms of cyber attacks. The IPC has posted a fact sheet about communicating personal health information by email that will help you learn more about the risk of sending sensitive data via email and how to mitigate the risk.

By taking simple steps to safeguard your email communications, you can help reduce the risk of privacy incidents at U of T.