Introduction and organisation: communication: communicating by external email: using email - security classifications
All customer data is classed as OFFICIAL-SENSITIVE or higher. You are authorised to use email for material up to OFFICIAL-SENSITIVE providing you have Informed Consent from the customer.
There is information that falls within OFFICIAL-SENSITIVE that cannot be sent. This is due to the impact of the information being lost/compromised. Information must not be emailed externally that could result in the following:
- Loss leading to identity theft.
- National media attention likely to cause nationwide, prolonged harm to HMRC’s reputation.
- Severe financial loss to the customer, for example unemployment.
- Loss to HMG/public sector of £millions.
- Loss of control of many customers’ data e.g. payroll details.
- Loss of control of a customer’s sensitive data.
- A compromise to the identity / financial status of customers.
- Cause a criminal prosecution to collapse or cause a conviction for a criminal offense to be declared unsafe or referred for appeal.
- Undermine the financial viability of a UK based or UK owned organisation.
- Risk to an individual’s personal safety or liberty.
It is your responsibility to ensure that you fully understand what can, and what cannot, be sent. Please see the Security Zone material on Government Security Classifications. In any case of doubt, consult your manager.
All customer information merits the controls and treatment required for the OFFICIAL-SENSITIVE level of security classification as a minimum. That marking should not be physically displayed in communication with the customer. This means that when sending emails externally, including to customers, you must select ‘OFFICIAL’ and all attachments must have their security classifications removed.