Email and Calendar Policy

Email and Calendar Policy:

1. Scope

1.1 The Policy for using and managing email and Outlook calendars applies to all LGSCO staff (used here to include contractors and others with a contractual arrangement to work for or on behalf of the organisation), who use email and the Outlook calendar. It has been approved by the Commission and will be reviewed at least every two years.

1.2 The LGSCO will provide training in using and managing email where necessary and will inform staff of any changes made to this policy. The Email Policy is to be read in conjunction with the Information Security Policy.

2. Purpose

2.1 The purpose of the Email and Calendar policy is to ensure the LGSCO has in place adequate mechanisms to:

ensure email messages that form records of business activities are managed appropriately
ensure compliance with Data Protection and Freedom of Information legislation, and
mitigate against the risks of inappropriate and excessive data storage.

2.2 Everybody should be familiar with the content of the policy.

2.3 Email messages should be treated with the same level of attention as that given to writing and managing formal letters.

3. Principles

3.1. All business and casework data held on the LGSCO’s IT systems (including email) belong to the LGSCO and not any individual or group. Emails should therefore generally be stored in an appropriately accessible place, see the IT User Handbook for guidance on saving emails outside Outlook for more details. All staff are individually responsible for managing email appropriately, and identifying and managing email messages that constitute a record.

3.2. When an email is sent or received it is the user’s responsibility to decide whether it needs to be captured as a record, ie appropriately stored outside Outlook.

3.3. All casework email must be stored in ECHO.

3.4. Casework material will be sent through the ECHO email system, except when it has to be sent via Outlook (for example, for audio versions of communications and recovered mail Echo can’t process). Extra care should be taken and Outlook sensitivity options should not be relied on. The emails in Outlook should be deleted immediately.

3.5. If Outlook is used for casework emails, these must be uploaded to ECHO so that they are managed according to the retention and disposal policy, and any copies remaining in Outlook must be deleted immediately. Emails in Outlook are still subject to Data Protection requests from complainants.

3.6 Non-specific casework emails: Internal Outlook emails may be casework related but not case specific, for example, Forum discussions. Care must be taken to avoid identifying individuals in these emails wherever possible, so avoid using the complainant’s name, reference number or any identifying information that would constitute personal data when emailing to Forum groups. If it is not possible to avoid identifying a complainant, ensure you also forward any response which you have relied on to help reach your decision to the Echo record of that case. Ensure all Forum discussions in Outlook are deleted once the discussion is concluded.

4. Confidentiality

4.1. Email communications are covered by the Data Protection Act and must be treated in line with the principles outlined in the Act. The LGSCO has a duty to protect the confidentiality of personal data about individuals, especially sensitive casework information (which must be sent by encrypted email) and to only use the information for the purpose for which it was obtained.

4.2. Email communications are disclosable to individuals under a Subject Access Request. Care should be taken when referring to individuals (including staff members) in emails. Using Outlook rather than ECHO for internal casework emails does not avoid this issue.

4.3. Sending emails is not inherently more unsafe than using normal overland post, but electronic communications may be inadvertently redirected or subject to mischievous interceptions, hence the importance of using encryption when appropriate.

4.4. Particular care is needed to verify the identity of the intended recipient of sensitive casework information and special category personal data (especially if it is a private email address not commonly used). Therefore you will:

use an established email address already registered on ECHO
otherwise, check email addresses before sending, if necessary verify the address by phone first especially the first time you use it, and check the email has been received
not send sensitive casework information or special category personal data to multiple addresses
consider whether encryption is needed – see the Information Security Policy so you know when you must use encryption
only address one data subject in each email (unless they are joint complainants, though consider whether this is advisable anyway), and
if using Outlook, do not rely on the sensitivity options.

4.5. Confidential information must not be transferred between the office and home by email outside the LGSCO’s systems (for example, to a private computer or email account), see Information Security Policy.

4.6. The LGSCO’s standard disclaimer in Outlook does not necessarily protect individual members of staff from potential legal action if a message were to include unsupported allegations, or if it unintentionally disclosed sensitive or inappropriate information or information sent ‘in confidence’ to the LGSCO. Nor does it mean that information is exempt under Freedom of Information or Data Protection legislation. All information, including emails, has to be assessed in relation to a request and has the possibility of being disclosed.

5. Outlook features

5.1. Mailbox housekeeping: Outlook mailboxes have limited capacity and staff will be required to perform at least monthly email housekeeping to ensure data that needs to be retained is captured as a record and extraneous material deleted.

5.2. Standard signature: The standard LGSCO signature shall be used in Outlook – see instructions on email signatures. Employees must include their telephone extension in their internal email signature.

5.3. Auto-suggest addresses: Outlook suggests previously used email addresses as you type. Regularly pruning (highlight the address and press delete) will reduce the risk of sending email to an incorrect address.

5.4. Outlook calendar: All staff must ensure their Outlook calendar is kept up-to-date with appointments, meetings, and leave etc to enable other staff to arrange meetings electronically using the tools available within Outlook. Outlook calendars must be set to ‘shared’ to enable other staff to view them. Guidance on how to open your calendar is on the intranet.

Avoid including attachments in meeting invitations to prevent personal, sensitive or confidential information being visible and, potentially, unlawfully shared. Send relevant documents separately, for example through email, by providing links to the shared corporate drives, or on approved document sharing sites such as Teams.

When accepting meeting invitations from internal and external sources, including as a delegate for someone else’s calendar, check for attachments containing information that should not be shared outside of the meeting invitees. Meeting invitations may contain personal data of the invitees, such as personal email addresses. Protect information in the invitation, and any attachments, by making the meeting ‘private’ and consider also removing and saving attachments elsewhere in a more private location.

Delegate permissions need to be set up correctly to enable the person delegated to make privacy setting changes.

Interview, grievance, disciplinary and appeal meeting invitations must always be set as ‘private’.

6. Access to mail accounts during absences

6.1 In the case of planned absences (eg holidays) staff should use the ‘Out of Office Assistant’ in Outlook instructions. For planned absences of more than one working day, the auto-reply message must give an alternative contact and state when a full reply can be expected. For a prolonged absence set up a ‘delegate’ in Outlook who can check your emails while you are away. Under no circumstances should you set auto forward to send your email to a non-LGSCO address outside the office.

6.2. Within ECHO all incoming email is accessible to all users, and arrangements shall be made for team coordinators to check investigators’ emails in their absence. Action needs to be taken for urgent issues such as JR applications or threats, and access to information requests. ECHO does include an out of office facility which you should use. For planned absences of more than one working day, the auto-reply message must give an alternative contact and state when a full reply can be expected.

7. Identifying and managing email records

7.1. A record can be described as ‘information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.’ This applies to any information, including emails.

7.2. Records should be identified and managed in accordance with existing records management policies. (For casework email, this means ensuring they are all stored in ECHO.) When an email is sent or received, you should decide whether it constitutes a record and needs to be ‘captured’ by saving it to a folder in a shared drive. (See “‘How to’ guide on email: saving emails outside Outlook”.) This should be done as quickly as possible. Once an email message has been captured, it must be deleted from your mailbox. This is particularly important with sensitive personal data. For example, if a line manager has sensitive disciplinary data about a member of staff in email correspondence, this should be retained within HR records and the line manager should delete their copies.

7.3. Most email messages will form part of a ‘thread’ and it is best to capture the entire thread wherever possible (deleting incomplete duplicate parts of the thread).

7.4. With attachments, decide whether to capture the email message, the attachment, or both as a record. In many cases, the email message should be kept with the attachment, as the message provides the context within which the attachment was used. (Avoid sending attachments internally as much as possible by including links to documents saved in the K: drive, or other shared drives, instead.)

7.5. The title (subject line) of an email does not always reflect the reason for capturing it as a record. Renaming emails is particularly important when they represent different parts of an email string as it helps identify the relevant aspects of the conversation.

7.6. Staff should capture emails as records outside the email system where they will be easier to find if subject to an FOI/DPA request or otherwise need to be found by someone other than the user who stored it.

8. Misuse of email

8.1. Sending or forwarding the following types of message is strictly prohibited:

pornographic, sexist or racist images or text
material of a politically extreme or derogatory nature
messages criticising or pressurising colleagues and which avoid the need for face-to-face contact. This may constitute bullying under the LGSCO’s harassment policy
flirtatious comments or content contrary to the equality and diversity policy. This is inappropriate and in some circumstances may amount to harassment, and
messages containing information which could be found to be defamatory (eg an unsubstantiated critical opinion of an individual).

8.2. Email containing inaccurate information in the form of opinion or fact about an individual or organisation may result in legal action being taken against the person sending the email message as well as anyone forwarding the email message on to others. If a message contains information that is not supported by fact, this should be clearly indicated.

8.3. An email message may constitute a legally binding contract. Staff must not order goods or services on behalf of the LGSCO without proper authorisation.

8.4. Action in contravention of these paragraphs is likely to lead to disciplinary action. Staff should be aware that all email messages are readily traceable and can constitute a formal record which may be used as evidence in legal proceedings.

9. Personal use of email

9.1. The LGSCO’s email facilities (through lgo.org.uk) can be used to send short personal messages (eg to notify changes in travel arrangements and delayed departure from the office) during the working day and may be used to send longer personal messages before starting and after finishing their working day and during lunch times. Staff should not use their work email address to subscribe to websites that are not work related, such as retailers. This increases the volume of unnecessary email to the organisation and increases the chances of spam and phishing emails.

9.2. The LGSCO reserves the right to monitor employees’ emails, but will inform an affected employee when this is to happen and the reasons for it, unless covert monitoring is justified. The organisation considers the following to be valid reasons for checking an employee’s email:

If the employee is absent for any reason and communications must be checked for the smooth running of the business to continue.
If the organisation suspects the employee has been viewing or sending offensive or illegal material, such as material containing racist terminology or nudity (although the organisation understands that it is possible for employees inadvertently to receive such material and they will have the opportunity to explain if this is the case).
If the organisation suspects the employee has been using the email system to send and receive an excessive number of personal communications.
If the organisation suspects the employee is sending or receiving emails that are detrimental to the organisation.

9.3. When monitoring emails, the LGSCO will, except in exceptional circumstances, confine itself to looking at the address and heading of the emails. Employees should mark any personal emails as such and encourage those who send them to do the same. The organisation will avoid, where possible, opening emails clearly marked as private or personal.

9.4. Covert monitoring would be justified if criminal activity or equivalent malpractice is suspected and where notifying the employee(s) concerned would prejudice the detection or prevention of the activity.

9.5. The organisation reserves the right to retain information it has gathered on employees’ use of email for a period of one year.

9.6. Staff who have concerns about the privacy of their personal emails may instead correspond on LGSCO equipment using an external email service (eg: hotmail). But the constraints in 9.1 (concerning times) and 8.1, 8.2 and 8.3 (concerning misuse) also apply to such activity when using LGSCO equipment.

10. Anti-virus protection

10.1. For information on our anti-virus protection arrangements, see the Information Security Policy.

10.2. While the LGSCO systems are effective at filtering spam and virus emails, staff should be vigilant when opening or following a link from an unsolicited or unexpected email to ensure the integrity of the network and systems are not compromised.

November 2020

Cookie name	Description	Action
ASPSESSIONID	This helps the site to function smoothly during your visit. For example, remembering your display settings and online complaint form preferences.
CookieNotice.Analytics	Used to remember your choice for analytical cookies.
TH_TOOLBAR_SETTINGS	Stores an object containing user specific settings for the Browsealoud toolbar such as dialog positions and button states. No personally identifiable data is stored.
API_SETTINGS	Stores an object containing user specific API settings for the Browsealoud toolbar such as voice and language selection, user preferences set in the toolbar settings panel and selected styles for word highlighting. No personally identifiable data is stored.
audioalert	Stores a value ‘audioalert = true’ after the first Browsealoud audio alert.
__utma	Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmt	Used to throttle request rate.	BrowseAloud v.3 documentation Privacy policy
__utmb	Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmc	Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the__utmbcookie to determine whether the user was in a new session/visit.	BrowseAloud v.3 documentation Privacy policy
__utmz	Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
_ga	Used to distinguish users. The ID is used only to identify the session for the statistics and is completely anonymous.	BrowseAloud v.3 documentation Privacy policy
_gat_UA-4669579-11	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.	BrowseAloud v.3 documentation Privacy policy
_gid	Used to distinguish users.	BrowseAloud v.3 documentation Privacy policy

Company	Description	Action
Google Inc = _ga	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gid	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gat	Google Analytics tracking cookie. Used to manage the rate at which page view requests are made.	Terms and conditions Privacy policy