Sending Sensitive Information Via E-mail

ESDC employees send and receive thousands of e-mail messages; some of them sensitive. Within the ESDC electronic network, technology is in place to help keep information safe. But there are always risks, which can be mitigated by employees understanding how to manage certain information.

You may receive a prompt from “McAfee Data Loss Prevention” to consider encrypting an e-mail if it contains a Social Insurance Number (SIN) or a credit card number.

DO...

  • Know the sensitivity of information you are sending. Consult the Information Categorization Tool.
  • Understand What’s the Big Deal If you e-mail sensitive information
  • Encrypt sensitive information if sending outside our Department. Note that Entrust is to be used to send encrypted files/e-mails internally and between other Government of Canada departments. See the how to create encrypted files and e-mails.
  • Make sure that you are sending the e-mail to the RIGHT person(s) and/or distribution list(s).
  • E-mail sensitive information/attachments ONLY to employee(s) authorized to receive such information AND who have a valid security screening level matching the level of information being shared.
  • Consider using the ‘Bcc’ field for a group e-mail distribution list (so as to ensure privacy when sending to a group)
  • Remove any protected or personal information that may have been sent to you before forwarding or replying to an e-mail.
  • Inform your manager and Regional Security Office if sensitive information is inadvertently sent via e-mail.
  • Ask your manager for clarification if you are unsure if information is sensitive.
  • Understand that all ESDC employees are to adhere to the ESDC Network Use Directive, which outlines how to use the departmental electronic network in an acceptable and responsible manner.
    • The electronic network is monitored to keep ESDC information safe.

DON'T...

  • Put names, Social Insurance Number (SIN), credit card numbers, Personal Record Identifier (PRI), date of birth and other personal information in the subject line of e-mail messages.
  • Send Protected B information via e-mail outside the ESDC electronic network unless it is encrypted.
  • Give sensitive personal, financial, business, system or network information to anyone you don’t know or who does not have a legitimate need to see it.
  • Send Protected C and Classified (Confidential, Secret or Top Secret) information by e-mail.
  • Include potentially embarrassing information in an e-mail.