Protect Student Data with Email Best Practices
August 29, 2023 9:08 AM

Dear Colleagues,

This year, there have been security incidents that stemmed from emails being sent to the incorrect recipients. We thought this would be a good opportunity to share a few quick and easy tips to ensure emails are getting to the correct people.

To ensure that our students have the best experiences while attending the University of Illinois, we must work together to prevent the disclosure of sensitive information about them. Please take a moment to learn some simple tips and best practices when sending email:

Check to be sure the recipient address is correct. 

• One of the more common privacy incidents related to email happens because of simple mistakes such as selecting the incorrect auto populated email address or the incorrect (but similar) email address. A quick review of your recipient list can eliminate accidental transmission to the incorrect person.

Minimize personal information sent via email.

• Consider whether you need to send the message or sensitive content at all. In some cases, you may not need to include any or all the information about the individual, or the recipient may have other appropriate means to review the information outside of email.
• Use generalized subject lines that leave out student names and sensitive details.

Use secure storage and systems instead of email messages and attachments.

• Communicate non-sensitive information via email or Microsoft Teams and indicate to the other party to check an established secure system or storage location to exchange important information rather than including in the email itself. They have greater control and security, access can be removed, and additional access conditions can be set to allow for exchange of sensitive and high-risk information. 
• Establish and use U of I Box folders, High Risk/HIPAA U of I Box folders, and Microsoft Teams folders limited to authorized persons only. This will also help you avoid using email as an unintended file repository. 

Use other mechanisms for student records and FERPA-related information.  

• When handling student records such as grades, use only University-authorized student information system(s) such as Banner or MyUI.

Together, we can take these simple steps to protect our students while continuing the University’s important work.

Questions about the use of email for student information? Contact privacy@illinois.edu.

Thank you for your time and consideration, as always,

Meghan Hazen
Registrar
University of Illinois Urbana-Champaign

Phil Reiter, MS MIS
Associate Director, Privacy
Technology Services
University of Illinois Urbana-Champaign