Protecting student data when sending emails

All staff received an email this past week about an incident where someone sent a group of students an email using the To: field and their personal email addresses. Personal email addresses and other personal data should not be shared in this way. It is best to send emails using Bcc: (where recipients do not see each other) and University email addresses should be used for regular student communications.

This is quite a serious issue legally for the University. We take keeping our students’ personal information confidential very seriously.

The good news is that Blackboard makes this easy for staff to do. When you send emails to students through Blackboard, the emails automatically go out Bcc, in addition to being sent to the official University email address. Now that students can set up their University email account so the emails are forwarded to any personal email account they want, there is no need to email their personal addresses directly.

To help inform staff, the University has created some Dos and Don’ts for sending students emails.  In addition we are reposting the contents of the email below which more fully explains the situation to help ensure staff are alerted about these issues:

Staff Reminder – Data Security: Emailing Groups of Students

The University has recently received a complaint from the Information Commissioner’s Officer following the disclosure of private email addresses in a mailing to a group of students returning from a placement year. The member of staff who sent the email used both the address and the private email address (e.g. hotmail or yahoo) for each student and entered them into the “To” field instead of using the “Blind Carbon Copy” or “Bcc” field. This was unauthorised disclosure of private email addresses to other members of the group.

Contact details including email addresses are personal data as defined by the Data Protection Act, and although the University email addresses can be shared within the University, private email addresses should not normally be shared or disclosed without the consent of the individual.

Students should be made aware that the University will normally use their email address for communications and that it is each student’s responsibility to check their University email account.

The use of private email addresses will be limited to urgent and important emails to individual students in exceptional circumstances. Staff should also use the encrypted email service for external emails containing personal data (see Electronic Data Encryption Policy).

All mailings to groups of students should be made using the “Bcc” function.

Alternatively Blackboard and shuspace can be used for student messages. See How to Email Students via a Blackboard Site

Please also be aware that students’ email accounts have a forwarding function. The student can set up their account so that all emails received in their University account are automatically forwarded to their own personal account. IS&T have publicised this to students, but faculty staff should also publicise this to their students, particularly at the start of the academic year, and before vacations and placements.

Please note that failure to comply with the University’s Data Protection Policy and guidance may be a staff disciplinary issue. Failure to comply with the Data Protection Act (DPA) may result in the Information Commissioner taking enforcement action against the University including imposing fines of up to £500,000 for serious breaches of the DPA.

Finally, if you become aware that there has been unauthorised disclosure of personal data or of some other kind of data breach within the University, you must report this immediately to the University Secretariat in accordance with the Data Security Breach Management Procedures

Further information about Data Protection

For advice on specific Data Protection issues please contact:
Helen Williamson, Information Governance Officer, University Secretariat, SRD
Telephone: x3361; email:

Leave a Reply