Email Restrictions for Sensitive Personal Information

Guidelines for the Limited Use of Email to Share Specific Types of Sensitive Personal Information

With the introduction at Tufts of an encrypted email solution, Secure Email, and after a technical review of the Tufts email system, the TTS Office of Information Security has revised its guidance on the use of email for some types of Sensitive Personal Information (SPI).

When the guidelines listed below are followed, this guidance permits the:

  • Use of the Tufts email system for emailing some types of SPI in messages between tufts.edu addresses only; and
  • Use of the Tufts encrypted email solution, Secure Email, for emailing some types of SPI in messages from tufts.edu addresses to external email addresses,

    provided in either case email is used with extreme caution.

Our recommendation remains that in most cases it is preferable to not use email for any type of SPI.

What Sensitive Personal Information do these guidelines apply to?

These guidelines apply to the following types of Sensitive Personal Information only:

  • Social Security numbers
  • Other government-issued identification numbers
  • Financial account numbers that are not credit or debit card numbers

What Sensitive Personal Information may NEVER be sent by Email?

Personal credit or debit card information may NOT be transmitted using the Tufts email system, Secure Email, or encrypted Adobe or Microsoft Office file. The University’s P-card and Travel charge cards have different handling policies that are set by Purchasing that may allow for the use of Secure Email.

Since Email use for SPI should be limited, what are some other alternatives I can use for sharing or sending SPI securely?

Some of the alternatives you can use are listed below. When using the Adobe or Microsoft encryption solutions with email, you will still want to follow the guidelines below.

  • Use Box for regular collaboration and sharing significant amounts of information. If you need to provide SPI on a regular basis to another Tufts staff member or if you need to provide a significant number of identification or financial account numbers, then it is strongly recommended that you establish a Box folder to share the information rather than using the Tufts email service. See the Tufts Box Use Guideline to learn what information may be stored in Tufts Box and see Box Collaboration/Sharing Tips for guidance on securely using Tufts Box.
  • Adobe Pro Suite gives users the ability to protect and encrypt a pdf file, which then may be sent by email. See Adobe Encryption.  NOTE:  Do not send an email with the file and the password in the same email.  Find some other way to communicate the password to users other than email if you will be emailing the file.
  • Microsoft Office Suite - Word, Excel, and PowerPoint have options to protect and encrypt Office files, which then may be sent by email. See Microsoft Encryption.  NOTE:  Do not send an email with the file and the password in the same email.  Find some other way to communicate the password to users other than email if you will be emailing the file.

Guidelines for using either internal Email or Secure Email for SPI other than credit and debit cards:

  1. Only provide SPI to persons who have a need to use the information for an authorized purpose.
    SPI may only be provided to persons – whether within Tufts or externally - who need the information for an authorized purpose. Consider carefully whether using less sensitive information would be sufficient.

  2. If the person receiving the SPI is outside of Tufts and is a vendor or other service provider, then you may not provide the SPI to them unless they are an approved vendor or service provider in compliance with the Massachusetts Data Privacy Laws and regulations.
    The Massachusetts Data Privacy laws and regulations require that before Tufts discloses Massachusetts regulated SPI to any vendor or other service provider, the vendor or other service provider must have entered into an agreement with Tufts in which they commit to abide by the requirements of those laws and regulations. To determine if a vendor or other service provider is a service provider approved by Tufts for SPI, contact infosec-team@tufts.edu.
  3. Follow all University, school and local department policies, guidelines and practices applicable to SPI and email.
    These guidelines do not supersede any requirements established by the University, its schools, and local departments. This is especially important for the treatment of financial account numbers, including financial aid. Users should check with their manager or supervisor before using email for any SPI.
  4. It is recommended that the message be sent as High Priority and the following information be included in the email Subject Line and at the start of the email:
    Subject line: Sensitive Information – Review Immediately
    This email contains Sensitive Personal Information. Please process the information immediately and treat the information securely. Do not forward this email. When responding, please create a new email, rather than using Reply. In any response, do not repeat the Sensitive Personal Information. Please securely delete this email as soon as possible. See Securely Deleting Email in Outlook.
  5. Limit the amount of identifying information in the email.
    The more sensitive information provided, the greater the possible harm if there is a disclosure to an unauthorized person or misuse of the information.
    a. Only provide the minimum information that is necessary for the recipient to complete their work. 
    b. Do not use the Tufts email service to send more than a very limited number of identification or financial account numbers, whether in one email or multiple emails.
  6. Whenever possible, don’t include the subject’s name in the same email.
    Whenever possible, the preferred practice is to not include the person’s name in the email with the associated government-issued identification number or financial account number. For example, stating the person’s employee or student ID number without a name or using initials is preferable. This approach reduces the risk.
  7. Limit the number of recipients.
    The fewer the recipients, the lower the risk. One is preferred.
    Also, it is preferable not to copy the person whose identification number is being provided, since they are already aware of their own identification number. If you wish, you may notify them of the action in a separate email without the number.
  8. If you will use a laptop or any other mobile device for sending an email containing SPI, then it is strongly recommended that the laptop or other mobile device be encrypted.
    There are encryption protections in Outlook both for storing email in Outlook and transmitting a message between tufts.edu addresses.  A message sent using Secure Email is encrypted. Yet, if you will also be working with SPI in a document that is created on, edited on or downloaded to your Tufts laptop or other mobile device, then the laptop or other device must be hard disc encrypted. (In any event, do not create, edit or download a document with SPI on or to your personal laptop or other mobile device.)
    Since you may not always limit your use of email on your Tufts laptop or other mobile device to including SPI only in the text of an email and not in an attachment, it is strongly recommended that any Tufts laptop or other mobile device used to send emails containing SPI also be encrypted.
    Contact the TTS Service Desk (617 627-3376 or it@tufts.edu) for laptop encryption.
  9. Send to the correct address.
    Double check you are using the correct email address. Especially check for addresses added by autocomplete.
  10. If sending an email internally, send only to recipients who have a tufts.edu address.
    Secure Email is not available for use for internal emails.
    When not using Secure Email, the email message may only be sent from a tufts.edu address directly to a tufts.edu address. No email addresses outside of Tufts should be included or used. If an email transmitted to an address that is not a Tufts email address is intercepted, it is likely it will be readable. And you will not know if it has been intercepted.
    Do not send an email from any email account that is not a tufts.edu account.  Do not send an email from your tufts.edu account if you have forwarded the account to another email account outside of Tufts.
    Don’t send the message to a tufts.edu address that you know is forwarded to an email address outside of Tufts.
  11. When using Secure Email, follow the necessary steps to be sure the information is encrypted.
    To use Secure Email, review the information at Secure Email at Tufts and Sending Secure Email online guide.
  12. Delete any drafts and the sent copy of the email immediately.
    a. To delete a draft or a sent copy, see Securely Deleting Email in Outlook.
    b. If you need to retain a copy for your records, export the email message as a pdf and move the pdf to a file approved for storing SPI.
  13. Protect your Tufts password.
    Using email for any SPI heightens the importance of carefully protecting your Tufts password. If someone obtains your password, they will often be able to determine your UTLN, and then will be able to access your mailbox and read all of your messages.
  14. Be aware of the risks introduced by Recipients.
    There is a risk that a recipient will send the information in an unsecure manner to an unauthorized recipient, whether intentionally or inadvertently. Another risk is that the recipient downloads information attached to the email onto an unencrypted laptop or other mobile device.

What should I do if I receive Sensitive Personal Information from someone using an email system outside of Tufts and I’m not sure the email was sent encrypted?

  • If you expected to receive the information, but not through email, contact the sender and recommend that they not use unencrypted email. Alternatives include phone, postal mail, in person and Tufts Box.
  • If you did not expect to receive the information, contact the sender and determine why the information was sent to you. Request that the sender cease sending the information in this manner. 
  • Consider whether to securely store the information or securely dispose of the information. See the guidelines for securely storing and disposing of documents.
  • Remember to securely delete the email. See Securely Deleting Email in Outlook.

What should I do if I sent an email with SPI to the wrong person?

If you sent an email containing SPI to an unintended recipient, immediately notify the Service Desk at 617 627-3376 and ask them to open a second ticket for Information Security. Provide the Service Desk with the information on who was sent the email and what type of information was provided. Do not repeat the specific SPI. Review the information provided at Reporting Information Security Incidents.

What should I do if my email account may have been compromised?

If your email account may have been compromised, notify the Service Desk at it@tufts.edu or 617 627-3376 and ask them to open a second ticket for Information Security. Be sure to tell the Service Desk you had sent an email or emails containing sensitive information. Do not repeat the specific SPI, but indicate the type of information sent and the recipient(s).  Review the information provided at Reporting Information Security Incidents.