About confidential information in email

On this page:


Overview

Unencrypted email is not a secure method for transmitting confidential information or sensitive data over the internet. If you have reviewed the information below and determined that it is necessary to send such information, take steps to secure it by encrypting your message, taking into account the sensitivity of the data being transmitted and the level of security at the source and destination systems. Do not send Critical data through email without first consulting with the appropriate Data Stewards. Exchange Online is only approved for up to Restricted data classification at this time. Before using email to share Restricted data, you should consider services approved for Restricted and Critical data, such as:

At Indiana University, do not send sensitive data via email unless:

  • It is required by your role within the university and you've reviewed Your role within the university below.
  • You've reviewed the other service options for more secure alternatives.

For more about data protection, see Protecting Data & Privacy.

Your role within the university

You should only send Restricted data via email if it is absolutely required in order to conduct the business function of the university. Data classified as Critical such as SSN, banking or credit card information, protected health information, and research data with participant identifiers should not be sent via email. If you are unsure whether email is appropriate for a particular situation, consult with the appropriate Data Stewards and the University Information Policy Office (UIPO).

Sensitive data sent outside Indiana University

Microsoft Office Message Encryption (OME) provides encryption for email sent from IU mail servers to recipients outside the IU network. While all outgoing mail is scanned for sensitive data, you should always force encryption of messages you know to contain such information. See About Office Message Encryption (OME) and Ensure that mail sent from your Exchange account to an outside address is encrypted.

Security for large files

If the information you need to send securely is a large file, you might not be able to share it securely via email; IU restricts the size of email attachments. See Email message size limits.

In these cases, you should use Secure Share, which allows you to store sensitive data securely for a limited time, and share it with specific recipients.

Your Secure Share files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Secure Share files are not backed up; when you delete a file, there is no way to recover it. Do not use Secure Share as the only place to keep files you cannot afford to lose.

Learn more about Microsoft at IU Secure Storage.

Related documents

This is document aktv in the Knowledge Base.
Last modified on 2023-11-03 14:14:07.