Data Protection


Guidance on using email

This guidance has been produced to help ensure the proper and efficient use of UCL’s email service. Following these recommendations helps UCL comply with new data protection legislation


Keeping e-mails

Don´t keep anything unnecessarily, review regularly.


  • Get into the habit of reviewing email messages regularly.

  • Delete any working copies, trivial emails, out-of-date reference material and duplicates.

  • You can use the auto-archive and auto-delete functions within Outlook to stop your inbox from getting out of control.

  • It is good practice to manage your emails into folders and generally try to keep emails in your inbox to a minimum.

Sending e-mails

Sending e-mail is not the most secure method of sharing information and should be avoided when handling special category/sensitive data but if you still use e-mail then follow the best practice guidelines here.

Use CC & BCC with care

Every time a message containing personal data is copied to another recipient there is an increased information compliance risk.

To minimise risk, we make the following recommendations:

  • Limit the use of CC only to those who need to receive the information.BCC (Blind Carbon Copy) can be a useful tool. When you use BCC, all those in the ‘BCC’ field can’t see each other’s email addresses. However, forgetting to use BCC, frequently leads to the accidental disclosure of all the recipients’ email addresses.
  • Where you regularly have to send personal information, use alternative sharing tools such as Sharepoint and OneDrive.
  • With the above in mind where it is still necessary to send to multiple recipients please assess the nature of the information and the potential security risks when deciding on the best method to communicate with a large amount of people. If you are sending any sensitive personal information electronically, you should use alternatives to BCC, such as bulk email services (that Information Services Division can advise on) should be considered (you could consider whether a DPIA should be undertaken as well in these scenarios).

Please see links to the Information Commissioner's Office's (ICO) recent warning and new guidance about bulk emails. .

Consider using encryption

The risks of transferring personal data increase when emailing non-UCL recipients, i.e. those not using an “@UCL” email addresses.

Robust encryption is recommended as it can be used to ensure confidentiality. Encryption keeps data private by converting it to an unreadable format. Only people who have an encryption key can access the data.

Please refer to the ISD-produced guidance on options for encryption for more information. If you are uncertain about how best to utilise encryption, please seek advice from the isg@ucl.ac.uk.

Alternative to sending e-mail

Using email for sharing documents and personal information is often not the best method. Sharepoint and OneDrive are both secure features of Office 365 as offered by UCL.

Sharepoint is a web-based collaboration space which can be used to create, edit and share content between colleagues. There are a number of different service levels offered by UCL depending on business use and your skill level.

  • You can contact ISD to request your own SharePoint site. 

OneDrive for Business is a web-based collaboration space designed for personal use, such as sharing a file with an individual. UCL staff and students are each allocated 1TB of storage space for OneDrive. 
UCL’s shared drive provides access according to file system permissions. It is secure and is backed up on a daily basis.

Shared role accounts and shared mailboxes

Shared mailboxes can help to avoid duplicating content, and instead to keep e-mails grouped by task that can later be easily cleaned up.

You can use role accounts for e-mail collaboration using a shared mailbox.

A role account is a generic user ID assigned for one specific role that can be used by more than one person. The account must have a registered owner. Role accounts can only be used by one person at a time and must not be used for personal email or file storage. They will have access to an email address, N:\ storage, Desktop@UCL and Eduroam, but not to print@UCL or library services.

Use of role accounts must be reviewed annually to ensure continued need. If no longer needed this must be relayed back to User Services by filling in the self-service form so the role account can be closed.

If you wish to use a role account for email collaboration, you should use a shared mailbox. This allows for multiple access to a single mailbox, useful for a number of circumstances such as the ability for a PA to access a manager’s inbox.

A shared mailbox is a mailbox that multiple users can use to read and send email messages. Shared mailboxes can also be used to provide a common calendar, allowing multiple users to schedule and view vacation time or work shifts.

Use an Out of Office (OOO) message

Out of Office (OOO) should be used in all cases where staff are away/unable to access their email.

The OOO message should include dates of no email access, and alternative contact details – a mailbox or a colleague who may be able to assist the sender.
Please see the UCL guidance on out of office messages.

  • Be objective and professional. Bear in mind that emails are subject to ‘access to information regimes’, i.e. freedom of information and data protection legislation –
    • what you write in an email may have to be disclosed.
  • One subject per message: limit the content in each email message to one subject, which will make management easier. Keep subject lines concise, clear and related to the purpose of the email.
    • avoid personal data. 
  • Establish email protocols in your local areas to ensure that everyone in your office manages their email in a similar way.

Use folders

Stay organised so to help management and protection of data.

  • For example, use a folder called ‘private and personal’ that clearly indicates the nature of the messages to be stored.