Data Protection


Guidance on using email

This guidance has been produced to help ensure the proper and efficient use of UCL’s email service. Following these recommendations helps UCL comply with new data protection legislation


Keeping e-mails

Don´t keep anything unnecessarily, review regularly.


  • Get into the habit of reviewing email messages regularly.

  • Delete any working copies, trivial emails, out-of-date reference material and duplicates.

  • You can use the auto-archive and auto-delete functions within Outlook to stop your inbox from getting out of control.

  • It is good practice to manage your emails into folders and generally try to keep emails in your inbox to a minimum.

Sending e-mails

Sending e-mail is not the most secure method of sharing information and should be avoided when handling special category/sensitive data but if you still use e-mail then follow the best practice guidelines here.

Use CC & BCC with care

Every time a message containing personal data is copied to another recipient there is an increased information compliance risk.

To minimise risk, we make the following recommendations:

  • Limit the use of CC only to those who need to receive the information.
  • Where you regularly have to send personal information, use alternative sharing tools such as Sharepoint and OneDrive.
  • With the above in mind where it is still necessary to send to multiple recipients BCC (Blind Carbon Copy) can be a useful tool. BCC is a means of sending an email to a large number of people without them knowing who else is getting the email. 

Case study: Gloucester Constabulary were recently fined £80,000 by the ICO for sending a bulk email that identified victims of non-recent child abuse. Use of the BCC function in this case would have prevented their details from being seen by others.

Consider using encryption

The risks of transferring personal data increase when emailing non-UCL recipients, i.e. those not using an “@UCL” email addresses.

Robust encryption is recommended as it can be used to ensure confidentiality. Encryption keeps data private by converting it to an unreadable format. Only people who have an encryption key can access the data.

Please refer to the ISD-produced guidance on options for encryption for more information. If you are uncertain about how best to utilise encryption, please seek advice from the isg@ucl.ac.uk.

Alternative to sending e-mail

Using email for sharing documents and personal information is often not the best method. Sharepoint and OneDrive are both secure features of Office 365 as offered by UCL.

Sharepoint is a web-based collaboration space which can be used to create, edit and share content between colleagues. There are a number of different service levels offered by UCL depending on business use and your skill level.

  • You can contact ISD to request your own SharePoint site. 

OneDrive for Business is a web-based collaboration space designed for personal use, such as sharing a file with an individual. UCL staff and students are each allocated 1TB of storage space for OneDrive. 
UCL’s shared drive provides access according to file system permissions. It is secure and is backed up on a daily basis.

Shared role accounts and shared mailboxes

Shared mailboxes can help to avoid duplicating content, and instead to keep e-mails grouped by task that can later be easily cleaned up.

You can use role accounts for e-mail collaboration using a shared mailbox.

A role account is a generic user ID assigned for one specific role that can be used by more than one person. The account must have a registered owner. Role accounts can only be used by one person at a time and must not be used for personal email or file storage. They will have access to an email address, N:\ storage, Desktop@UCL and Eduroam, but not to print@UCL or library services.

Use of role accounts must be reviewed annually to ensure continued need. If no longer needed this must be relayed back to User Services by filling in the self-service form so the role account can be closed.

If you wish to use a role account for email collaboration, you should use a shared mailbox. This allows for multiple access to a single mailbox, useful for a number of circumstances such as the ability for a PA to access a manager’s inbox.

A shared mailbox is a mailbox that multiple users can use to read and send email messages. Shared mailboxes can also be used to provide a common calendar, allowing multiple users to schedule and view vacation time or work shifts.

Use an Out of Office (OOO) message

Out of Office (OOO) should be used in all cases where staff are away/unable to access their email.

The OOO message should include dates of no email access, and alternative contact details – a mailbox or a colleague who may be able to assist the sender.
Please see the UCL guidance on out of office messages.

  • Be objective and professional. Bear in mind that emails are subject to ‘access to information regimes’, i.e. freedom of information and data protection legislation –
    • what you write in an email may have to be disclosed.
  • One subject per message: limit the content in each email message to one subject, which will make management easier. Keep subject lines concise, clear and related to the purpose of the email.
    • avoid personal data. 
  • Establish email protocols in your local areas to ensure that everyone in your office manages their email in a similar way.

Use folders

Stay organised so to help management and protection of data.

  • For example, use a folder called ‘private and personal’ that clearly indicates the nature of the messages to be stored.