Email Privacy
Is Email Really Secure and Private?
Email is insecure by default; it is no more secure than a postcard sent by lettermail. Although the University follows sound IT practices and due diligence to provide secure, private and reliable email services to its users, it comes down to individual users to exercise caution when using email to communicate confidential or sensitive matters.
The following discusses some potential risks of using email, as well as what users should and should not send.
Risks of Using Email to Share Sensitive Information
Email is perhaps the most common method to share information on campus. However, it also carries some risks, and it is important to consider these risks when deciding whether to send information to someone through email:
- Misdirection - when an email is unintentionally sent to the wrong person. Learn how to minimize the risk of sending misdirected emails.
- Interception - when an email is intercepted by hackers or government surveillance programs. Fortunately, any email sent through Gmail is encrypted for your protection. Learn more about encryption.
- Mishandling by recipient - when the recipient of an email stores it inappropriately, copies it, and/or forwards it to others. As you have no control over how a recipient handles your email, use caution when sending personal or sensitive information.
- Account vulnerabilities - these include a weak password and email phishing scams, both of which leave an email account vulnerable to external threats. Always set a strong password (eight to ten characters long) and never open suspicious emails.
For a further discussion about the risks of using email in the context of sending patient information, please see the OIPC Practice Note. Please also review the following infographic and document for additional general guidelines on email management.
Guidelines for Sending Emails
Avoid emailing:
- medical records;
- credit card numbers;
- social insurance numbers;
- sensitive employee records:
- personnel files,
- salary,
- discipline records,
- information related to a law enforcement investigation,
- third-party business information submitted in confidence.
In general, it is acceptable to email:
- date of birth (but avoid where possible);
- moderately sensitive information:
- grades,
- CCIDs,
- employee and student ID numbers,
- personal contact information;
- non-sensitive information:
- publicly displayed University email addresses,
- accounting chart of accounts,
- anything available on the University's website.
Alternatives to Email: UAlberta Google Drive
Learn more on our Best Practices for Sharing Information page.
Additional Alternatives for Sharing and Storing University Information
Learn more on our Best Practices for Sharing Information page.
Google Privacy Questions
The following questions review the email privacy assessment and statement for the UAlberta Google project.
In Canada, like in the United States, the Government has wide abilities to view personal information that is held in email accounts. The Canadian Government's ability to do this is found in various pieces of Canadian legislation including the Criminal Code, the Canadian Security Intelligence Service Act, the National Defence Act, and others.
The key difference between Canada and the United States is that, in general, the Canadian legislation requires that all warrants for the seizure of personal information must be issued by a judge. However, it still remains that the application to the court for this order/warrant will be made without the knowledge of either the holder of the information or the person who is the subject of the information.
There have been a number of recent bills introduced in the Canadian House of Commons which would increase the scope of information that is available to the Canadian Government and also decrease the number of restraints preventing the Government from accessing that information.
Should you wish to see further information regarding the Canadian system for intelligence gathering you can visit the website for The Office of the Privacy Commissioner of Canada and review a Position Statement produced by that office.
The information may be physically located in the United States, which would allow the US Government to obtain direct access to that information. If the information is located in Canada, the US Government would have to approach the Canadian Government to obtain that same information.
Also, information which is held in an email account has no guaranteed privacy. Any email exists not only in the account it has been sent to, but also in the account it was sent from, in any accounts to which it was forwarded, and likely on many servers which are situated in the United States. If an email user wanted to ensure that their account was not subject to US Government surveillance they would also need to ensure that those with whom they are corresponding have also ensured that their own accounts have no US exposure.