Secure emailing

The aim of this algorithm is to help ensure that information sent by email is properly secured. The algorithm achieves this by alerting email senders to sensitive information and encouraging them to send this information securely. If they choose to do so, the email is secured using encryption, two-factor authentication for the recipient, the option to revoke access, and logging. This ensures that sensitive information is protected, whilst non-sensitive information remains accessible without causing any additional inconvenience to the recipient. The algorithm only affects the process of sending emails and does not affect the substantive legal position of citizens or businesses.

The use of this algorithm helps to ensure that emails are sent with the appropriate level of security. Classifying emails using an algorithm is more effective than classification based on a word list compiled through human input or classification by the sender, whilst at the same time the algorithm does not affect the content of an email.

In principle, the user decides for themselves whether or not to send an email securely, based on the algorithm’s recommendation. It is also possible to automate the decision on whether or not to send an email securely, based on the algorithm. The local authority has not opted for this. In that case, a user can always still choose for themselves whether to send an email explicitly as secure or non-secure.

The algorithm’s overall performance is monitored by the supplier. If it transpires that the algorithm is producing incorrect classifications more frequently, this is detected by the monitoring system, enabling adjustments to be made to the algorithm.

Under the BIO guidelines for the public sector, secure emailing is regarded as a recommended measure where personal data or other sensitive information is sent by email on a regular basis.

The application works by automatically recognising text elements that may refer to sensitive information that needs to be sent securely. Users can also specify themselves whether an email should be sent securely or not.

When composing a new email, the system assesses how similar it is to previously sent (secure or normal) emails, based on the terms used in the message and the attachments. If the email is sufficiently similar to messages that are normally sent securely, it is flagged as potentially sensitive. The terminology used in the email is analysed to determine whether it relates to a specific category of sensitive information, such as medical or legal information. Once the email has been classified as sensitive and concerns a subject that the organisation has specified must be sent securely, the user receives a recommendation to send the email securely.