Sending information securely
This guidance complements the Ministry of Justice (MoJ) overall security policy.
This guidance on working securely with paper documents and files applies to all employees, contractors, partners and service providers, including those on co-located sites and sites owned by other public bodies. This also includes employees of other organisations who are based in, or work at, MoJ occupied premises.
Agencies and arm’s length bodies (ALBs) are expected to comply with this corporate framework but may establish their own arrangements tailored to operational needs and should supplement it with local policy or guidance for any business-specific risk.
The MoJ requires employees and contractors to get into the habit of looking after the information that they work with, whether it’s on paper or stored electronically, in the same way they would take care of their personal valuables.
Scope and Definition
This guidance helps you understand the risks involved in sending information. It covers any information that relates to the business of the MoJ, its stakeholders and partners that have been printed out or written down on paper, and information that has been downloaded from IT systems onto ‘removable media’.
This guidance outlines the all the basic guidance on sending information using email, post, courier services and fax.
All MoJ information is valuable, and staff are expected to protect everything that relates to the department’s business, including information provided by others. This applies to all information, not just information that is covered by the Data Protection Act or classified under the Government Classification Scheme.
There are different rules for managing and protecting different kinds of paper-based information. You need to know how to:
Identify the correct security level for the information you work with.
Handle it according to the relevant rules.
All employees, contractors, partners, service providers and employees of other organisations who are on MoJ premises and co-located sites remain accountable for the security, health and safety of themselves, colleagues and the protection of departmental assets.
Email is the preferred option for securely transferring information between yourself and another civil servant. You shall use departmental equipment and transfer between Official or CJSM email accounts.
If the person or organisation you are sending the information to is outside departmental Official or CJSM networks, you shall consider the sensitivity of the information. It might be safer to send it on encrypted removable media or in hardcopy.
Sending bulk information
Transferring bulk data shall be authorised by a senior manager.
The definition of bulk or high volume is not specific. Removable media such as laptops, disks or memory sticks can hold thousands of records. They have the benefit of encryption to prevent access to data accessed, but the damage if they are lost and the information cannot be retrieved remains high. However, information is immediately accessible if even a single paper files is lost, so the risks need to be managed differently.
As an indication, datasets containing the electronic records of 1,000 or more people would count as bulk, whilst decisions on using more secure forms of movement might apply to much smaller volumes of case files. It might also apply to lesser volumes where names and addresses are combined with sensitive information that might lead to identification.
In all cases, consideration shall be given to the risk and impact of causing individuals or the MoJ to suffer harm or loss, service disruption, or reputational damage.
Using post and couriers
There are a range of methods of sending documents, depending on the potential harm that result from loss. This relates to their security classification and the volumes involved. Use a method that is appropriate for the type of information:
For normal inter-office transit, use DX delivery services or agreed contracts for the movement of papers or files. Royal Mail letter post is otherwise acceptable for standard non-sensitive material, or letters at Official.
The classification and any handling caveat such as Official-Sensitive shall not be shown on the outer envelope. If the contents are sensitive, particularly if they contain personal details intended for an individual, the envelope should be marked
ADDRESSEE ONLY. Post rooms shall check addressee details, and shall not open any envelope marked in this way.
If more security is needed, either because material is being sent in bulk or the contents are more sensitive, tracked options including tracked DX or special delivery should be used.
Material marked Official-Sensitive can be sent using any of the previous methods, with a return address and no protection marking on the outer envelope.
Double enveloping might also provide additional protection, especially if there is a risk the package might burst or if it is being sent to a non-MoJ location where the
ADDRESSEE ONLYinstruction might not be recognised.
If you are sending sensitive or bulk information, you shall ensure that the recipient is expecting it and get confirmation of receipt. Consider a solution that allows you to track delivery. If you need to transfer or send personal data to or outside of the European area, discuss it first with the Data Protection Team.
Faxing documents between sites
Office faxes shall only be used for transmission and exchange of MoJ information where other more secure means of communication, for example Official government email, are not possible.
Where use of fax machines (including Goldfax where available) remains the best option, it shall only be for information classified at Official and that is not especially sensitive. The reason is that fax material is sent over public networks. Faxed information might be individual items, including personal data.
Bulk transmission of personal data and information marked Official-Sensitive shall only be allowed following a risk assessment and approval from the Information Asset Owner.
The following controls and procedures shall also be applied by staff:
Ensure that the recipient has a legitimate need to access department information for official business purposes.
Take care to ensure that the correct number has been dialled, and that the authorised recipient is attending the receiving fax terminal at the time the information is being faxed.
Immediately contact the authorised recipient to authenticate that they have received the information, verifying the quantity (the number of pages), and content of the information.
If the recipient’s fax line is busy and a transmission is not possible, wait until it is free. Do not leave the fax machine unattended. You shall confirm that the authorised recipient has received all the information.
Each transmission should carry the following:
A unique reference number.
The identity of the originator.
The identity of the intended recipient.
A record of the number of pages transmitted.
Ensure that the authorised recipient is aware of the handling requirements for Official information, including preventing information being viewed or accessed by unauthorised persons in their business.
If the fax is configured to produce a confirmation of transmission report, including a copy of the first page of the transmission, ensure that you retain this hardcopy information and that it is not left on the fax machine where it might be seen by those who do not ‘need to know’.
Ensure that the fax is configured correctly, and that functions such as polling reception (programming to send messages to specific numbers), redirection, forwarding, and remote control are disabled.
Overview of threats and vulnerabilities
The public service telephone networks through which fax messages are transmitted are exposed to several significant security vulnerabilities and threats. These include:
The potential that even UK to UK transmission is routed to overseas networks, increasing risks.
Transmission within the UK may be intercepted at several places along the route.
In addition, the risks associated with fax machines are as follows:
Unauthorised access to the built-in message stores to retrieve messages.
Deliberate or accidental programming of machines to send messages to specific numbers.
Sending documents and messages to the wrong number, either by misdialling, or by using the wrong stored message.
Viewing of protectively marked messages by unauthorised persons, for example copies left unattended and unsecured on fax machines and traffic logs, and copies of fax messages retained on the machine’s memory being accessed.
What to do if you think there has been a security breach
If you suspect that the security of the information you work with has been compromised in any way, you should report it immediately. A security breach doesn’t have to involve the actual loss of information. The potential loss of information also counts.
For example, if a security cabinet has been left unsecured, there might be no evidence that any information has been lost or interfered with, but there is a clear potential for loss or damage.
The level of risk and potential impact to MoJ assets and most importantly physical harm to our people and the public determines the controls to be applied and the degree of assurance required. The MoJ shall ensure that a baseline of physical security measures are in place at each site, and receive annual assurance that such measures are in place to provide appropriate protection to all occupants and assets, and that these measures can be strengthened when required, for example in response to a security incident or a change in the Government Response Level.
The implementation of all security measures shall be able to provide evidence that the selection was made in accordance with the appropriate information security standards ISO27001/27002, and with Physical Security advice taken from the Centre for the Protection of National Infrastructure (CPNI) and Government Functional Standard - GovS 007: Security (link is external).
The constantly changing security landscape has necessarily dictated that Physical Security measures be constantly re-evaluated and tested in order to meet new threats and other emerging vulnerabilities. This policy and subsequent supporting standards are subject to annual review or more frequently if warranted.
Physical security advice
Physical security advice can be obtained by contacting MoJ Group Security.
Annex A: Suitable carriers
This guidance does not provide an exhaustive list of suitable carriers but does identify recommended options. The following notes provide further details.
Ordinary letter post is acceptable for Official correspondence with members of the public or items that must be sent to private addresses. To prevent inappropriate opening of personal letters with sensitive personal data sent internally or to other business addresses, you should mark the envelope ‘addressee only’. This might also require double enveloping to protect the contents in transit, and prevent inappropriate opening on delivery.
Recorded delivery should be used if the letter contains particularly sensitive information or identity documentation. The sender is given a reference and can confirm delivery and obtain a copy of the signature through the Royal Mail website.
This is similar to recorded delivery, but requires a named signature for receipt. Earlier delivery can be arranged (9am or 1pm). This service also allows online tracking of the item, suitable for more sensitive documents.
For more information, refer to the “Courier and postal services Royal Mail” document available on MoJ MyHub (log in to MyHub and use the search facility to locate the document).
Ordinary DX services are acceptable for sending low volumes of files or enveloped papers between sites and other justice agency partners with registered DX addresses. When sending any volume or sensitive papers, managers should ensure that the receiving office is expecting the delivery, and check receipt.
This is recommended when a more formal tracking is required, either because of the volumes of files, or because they contain particularly sensitive case information.
There two further DX options which give added security:
For more information, refer to the “Courier Services Document Exchange and Next Day – DX Network Services” document available on MoJ MyHub (log in to MyHub and use the search facility to locate the document).
You can also use tracked courier services provided by FedEx.
For any further questions or advice relating to security, contact: firstname.lastname@example.org.
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: email@example.com.