The sharing of any personal information between organisations must be covered by an information sharing agreement.
Risks
Staff should also be wary about over-sharing information. Some information such as official figures may be purely for internal use.
Procedures
There are factors that will influence the data sent and received, and the facility used to transfer the files. They are:
- classification
- recipient or sender
- file size
- access control
Any information classified as restricted will need to be transferred via a secure method.
Certain types of files need to be transferred via a specific method. This particularly applies to files being sent or received to or from government departments, agencies, police and other national bodies.
Information should never be passed or transferred to employees, agencies or partners if they are not authorised recipients of that information.
Files over certain sizes cannot be sent via secure email and should be transferred by another agreed secure method. Check with the service desk if you're unsure.
There are several methods by which file transfer can take place. Which one you choose depends on the classification of the data being sent or received and who it is being sent to.
Emails
Standard emails
emails sent from one derbyshire.gov.uk account to another derbyshire.gov.uk account are contained within our email system. These are secure for file transfer of any classification (public, controlled or restricted).
When sending to a team or generic email account, it must be checked that all persons with access to the team email address are authorised to view any attached files.
emails sent from a derbyshire.gov.uk email address to a non derbyshire.gov.uk email address are insecure because they do not stay within our email system. They should only be used to transfer documents or files that are classified as 'public'.
Email buttons for controlled or restricted information
When creating a new email to a non derbyshire.gov.uk email address there are 2 buttons available - 'Secure email' and 'Encrypted email'. To send restricted or controlled information, these buttons should be used, except to CJSM recipients.
Transport Layer Security emails - secure email
Our email solution uses Transport Layer Security (TLS) which is an internet messaging protocol that sends email contents fully encrypted and secured.
Clicking the 'Secure email' button will force an email to be sent securely. If the recipient's email service cannot handle this level of security (TLS) you will receive a non-delivery report (NDR) after 48 hours.
For those who used to have GCSx email, the 'Secure email' button is now the first option to try.
Microsoft Office 'Encrypted email'
The 'Encrypted email' button can be used to encrypt emails when the 'Secure email' option isn't possible because the recipient's email service cannot handle TLS. The Microsoft Office Message Encryption (OME) product will be used. The recipient will automatically be given a password to unencrypt the email.
The attached files on a single email must not exceed 12MB.
CJSM email
CJSM (Criminal Justice secure email service) is provided for criminal justice agencies and practitioners to communicate with each other.
As a general rule it must only be used for purposes relating to the criminal justice service.
Now the GCSx email service has been withdrawn, if you need to send emails to CJSM on a regular basis, a CJSM account can be set up for you. The secure email and encrypted email buttons should not be used when sending to CJSM email addresses.
File sharing
Cryptshare file sharing facility
Cryptshare is an externally hosted facility to securely share files with a user defined set of external parties.
Files of any classification can be shared and it can be used if files are too large to be sent via email. The file will be password protected and can be made available to the recipient to download for a period of up to 28 days.
This can be useful if you have very large files or documents that are perhaps time regulated, for example, legal documents or planning permissions applications.
It's available to be used through specific request to the transformation service, service desk.
Children's Services SharePoint facility
SharePoint is an externally hosted internet site specifically for the schools' extranet (Learning in Derbyshire).
It can only be used to transfer controlled or restricted documents by our staff and teachers or staff members who have been assigned log on credentials. It can also be used to post or upload public documents to the public facing portion of the site.
Cloud computing
It's our policy that any cloud computing software should not be used to share information. This includes any type of file sharing such as pictures, videos and documents.
External hardware
Always use encrypted portable media.
Alternative methods
Files which need to be shared with other external partners and individuals but cannot be transferred by any of these methods may be transferred by methods specified in the information and classification handling policy.
If you feel you may have accidentally breached this policy, you should contact your line manager immediately, or in their absence, a more senior manager who will record this information.