Securely Handling Sensitive Personal Data via Email

In today's digital age, email remains a primary communication tool. However, when dealing with sensitive personal information (PII), such as data protected under the Privacy Act, a robust understanding of secure email practices is paramount. Simply sending an email without proper precautions can expose individuals and organisations to significant risks, including data breaches and non-compliance with regulations. This guide will delve into the critical aspects of emailing PII, ensuring your communications are both efficient and secure.

Understanding PII and its Protection

Personally Identifiable Information (PII) is any data that could potentially identify a specific individual. This can range from names and addresses to more sensitive details like social security numbers, financial information, or health records. The Privacy Act (PA), and similar legislation, mandates strict controls over how this data is handled, transmitted, and stored. Failure to comply can result in severe penalties.

Sending PII to Group Email Addresses: A Cautionary Tale

A common pitfall is the indiscriminate use of group or distribution list email addresses. The guidance is clear: never send sensitive PII to distribution lists, group, or organisational email addresses unless every single member of that list has an explicit, official need to know the information. Even then, the email must be encrypted. If there's any doubt about who might access the information, err on the side of caution and send it only to individual, secure accounts, ensuring it is encrypted.

The Pillars of Secure PII Emailing

When emailing PII, whether in the body of the message or as an attachment, several key requirements must be met to ensure security and integrity:

• Need-to-Know Basis: Emails containing PII should only be sent to recipients who have a legitimate, official need to access that information. This is a fundamental principle of data protection.
• Subject Line Marking: The SUBJECT line of any email containing PII must clearly include the marking "CUI" (Controlled Unclassified Information). This serves as an immediate alert to recipients about the nature of the content.
• Attachment Security: If an attachment contains PII, the file name itself should include the "CUI" marking. Furthermore, the top and bottom of each page within the attachment must also be marked "CUI". The first page should ideally include a specific CUI indicator block.
• Email Body Security: Similar to attachments, if the body of the email contains PII, the top and bottom of the email message must bear the "CUI" marking, and it should incorporate a CUI indicator block.
• Digital Signing and Encryption: This is perhaps the most critical technical requirement. Emails containing PII must be digitally signed and encrypted. It's important to understand that digitally signing is not the same as a standard email signature block.

Digital Signing vs. Signature Blocks

A common misconception is that a standard email signature block (your name, title, contact information) constitutes a digital signature. This is incorrect. A digital signature is a cryptographic process that uses your private key to create a unique digital fingerprint for your email. This fingerprint verifies your identity and ensures the email hasn't been tampered with during transit.

How Digital Signatures and Encryption Work

The process relies on Public Key Infrastructure (PKI) and typically involves a Common Access Card (CAC). A CAC contains cryptographic keys:

• Private Key: Stored securely on your CAC, this key is used to digitally sign outgoing emails. When you sign, this key assures non-repudiation (proof it came from you) and integrity (proof it hasn't been altered). Your public key is sent with the email.
• Public Key: The recipient uses your public key to verify your identity and the integrity of the message. To encrypt an email, you use the recipient's public key. Only the recipient's corresponding private key can decrypt and read the message, ensuring confidentiality.

Acceptable Methods for Emailing PII

To meet these stringent requirements, specific methods are supported:

Method 1: Digital Signing and Encryption via Outlook

This is a widely supported method that requires:

• Using Microsoft Outlook.
• Both sender and recipient possessing valid CAC email certificates linked to their official email addresses.
• The sender having the recipient's digital certificate saved in their contacts before encrypting.

Resources for setting up your account and using this method are typically available through IT service centres. You can often find and download the digital certificates of other Department of Defense (DoD) personnel through the DoD Enterprise White Pages, accessible via a CAC.

Method 2: Department of Defense Safe Access File Exchange (DoD SAFE)

DoD SAFE is an authorised platform for sending unclassified files, including PII, CUI, Protected Health Information (PHI), and large files (up to 8GB). Even users without a CAC (guest users) can utilise DoD SAFE to send files to CAC holders, provided the CAC holder initiates the file request through the platform first. Visit https://safe.apps.mil to use DoD SAFE.

Handling CAC Certificate Recovery for Encrypted Emails

A crucial point regarding encrypted emails is certificate management. The specific CAC certificate used to send an encrypted email is the only one that can decrypt it. If you obtain a new CAC, your old certificates are not automatically transferred. To read emails encrypted with a previous certificate, you must reload those certificates onto your new CAC.

Failure to do so will result in decryption errors when you attempt to read older encrypted messages. To recover your previous certificates, you should consult specific guidance, often provided in documentation like the DoD PKI Automatic Key Recovery slide deck. Accessing these recovery sites may require using a DREN VPN to avoid errors.

Summary Table: PII Emailing Requirements

Frequently Asked Questions (FAQ)

Q1: Can I send PII to a colleague's personal email address?
A1: No. PII should only be sent to official, secure government email addresses and only to individuals with a verified need-to-know. Personal email addresses are generally not considered secure for transmitting PII.

Q2: Is a simple password on a PDF attachment enough?
A2: No. While password protection can offer a layer of security, it does not meet the cryptographic requirements for digitally signing and encrypting PII as mandated by regulations. You must use methods like CAC-based encryption.

Q3: What if I don't have the recipient's digital certificate saved?
A3: You will not be able to encrypt the email for that recipient. You must obtain their certificate (e.g., from the DoD Enterprise White Pages) and add it to your contacts before you can send them encrypted PII.

Q4: My CAC expired, and I got a new one. Can I still read old encrypted emails?
A4: Only if the certificates from your old CAC were properly recovered and loaded onto your new CAC. Otherwise, you will need to follow the specific recovery procedures to access those older messages.

Q5: What is the difference between CUI and PII?
A5: PII (Personally Identifiable Information) is data that identifies an individual. CUI (Controlled Unclassified Information) is a broader category of information that requires safeguarding and dissemination controls, which often includes PII but can also encompass other sensitive but unclassified data.

By adhering to these guidelines, you can significantly enhance the security of your email communications when handling sensitive personal data, protecting both individuals and your organisation from potential risks.