Can I send personal information by email?

Yes you can send personal information by email, but you must take care that the information is securely protected, especially if it is sensitive(external link).

Organisations have to take reasonable steps to make sure the personal information they hold is kept safe and secure. This includes making sure the information is protected from loss, accidental disclosure or other misuse in the course of transmission.

The appropriate security measures will depend on a number of issues, including:

• How sensitive is the information?

• What steps can be taken to secure the information during transmission (for instance, by encrypting the email)?

• Will documents be attached and, if so, what steps can you take to secure the attachments?

• What could possibly go wrong and what might the consequences be if something does go wrong?

• What steps can you take to try and prevent things going wrong?

• What are your alternatives to transmitting the information and, in particular, is sending the information another way going to be more or less risky?

• Has the email address been used or checked recently?

• Has the individual indicated that they’re happy for you correspond with them by email?

Human error is a common cause of privacy breaches so you should set up policies and guidelines for staff to minimise accidental breaches such as sending PI to the wrong person.

If you are considering introducing a policy on sending information by email, or changing your policy on how you send personal information, you may want to consider doing a privacy impact assessment to help identify and manage any potential risks.

If your security measures fail, and cause a security or privacy breach, you may need to notify OPC(external link). A security failure can affect people who may then complain to OPC.