Stay safe on email

Copying an inappropriate or deeply personal email to a senior colleague or group of unfamiliar co-workers can be embarrassing enough. But if you send unencrypted confidential documents to the wrong people you could cause a serious security breach, and quickly land you and your employer in very hot water. 

At a glance

  • Password-protect and encrypt confidential documents before sending
  • Send the password to the recipient by means other than email
  • Always double-check exactly who you're emailing
  • Use 'BCC’ when sending emails to large groups or mailing lists
  • Protect your email account from malware and phishing

Sharing documents via email

Most people use email for sharing documents with colleagues inside and outside of the University. Email is not the most secure form of communication, the main risks to data come from people getting access to your account, or from sending data to the wrong people. As long as you keep your account secure, your University email will be safe to use in most cases. Just be sure to double check the email address before sending; use ‘Bcc’ when sending bulk emails or use a properly configured mailing list; and seek help from your IT team if you’re in doubt about anything, for example when setting up a mailing list.

If you’re sending confidential data, you need to take extra precautions, such as using password protection. You can use Microsoft Office password protection on recent versions of Office or tools such as Nuance (for PDF documents) or 7-zip. Both are available via the Oxford installer for CONNECT users in UAS. Be sure to share passwords by an alternative method to email, e.g. phone or SMS. Alternatively find another way to share the information.

Sending confidential documents securely by email



  • Use password protection to encrypt confidential documents before sending.
  • Use email or OneDrive for exchanging documents.


  • Use an alternative solution such as SharePoint.
  • Set appropriate access controls so that only the recipient has access.


  • Encrypt the entire email content using dedicated technologies such as PGP or S/MIME.

Alternate solutions to sharing via email


Features to consider/ Solution


Nexus365 OneDrive for Business

Storage Capacity



Documents accessible to external users

No Yes

Authentication required to access

Yes (SSO) Yes (SSO)

Two-factor authentication available

No No

Granular access controls

Yes Yes

Documents encrypted in transit

Yes Yes

Geographical location of data


UK Datacentres

Secure data centre



Certified to industry good practice

Version history

Yes Yes

Alerts sent on access to documents

Yes Yes

Expiry for document sharing

No Yes



Never email important files unprotected 

If you send confidential documents by email without encrypting them first, they could be:

  • Read by someone who accesses your email account (for example, through phishing)
  • Sent accidentally to the wrong people
  • Forwarded to anyone without your knowledge
  • Intercepted en route to the recipient by criminal hackers

How to send secure documents by email

If you are sending sensitive documents, it's essential that you encrypt them first. Here's how:

Choose the right tool. The most recent versions of Microsoft Office, Adobe Acrobat and Nuance Power PDF have built-in encryption and password-protection. For Office documents, use the newer "docx" and "xlsx" formats. 

If you want to encrypt and password-protect multiple files and folders, use free tools such as 7-Zip and Keka.

Whichever tool you use, the important thing is that it uses the industry standard AES 256.

Your encrypted file is only as safe as your password, so make sure it's a strong one

Sharing encryption passwords safely

As well as encrypting your document behind a password, it's important to share the password safely. Sharing the password by phone, text message or in person are all more secure than email, provided you take reasonable steps to make sure you call the correct number or know who you should be speaking to. If you are sharing documents with someone on a regular basis, you could set up a shared password in advance and update it on, say, a monthly basis.

Keeping emails out of the wrong hands

Firing an email off to the wrong person or people is all too easily done. At the risk of stating the blindingly obvious, you need to know who you are sending it to. 

  • Check the 'to' field carefully. Organisational address books may contain several people with the same or similar names.
  • Don't send to group emails and mailing lists without regularly reviewing who is on them.
  • Make sure only authorised people have permission to post, if you are the administrator of a mailing list.
  • Email the message to yourself and BCC your recipients. This means they will not be able to reply all (potentially publicising your mistake), and you don’t expose other people's email addresses.

Other email risks to avoid

If your account gets hacked, it won't be just one wayward email you have to worry about. Anyone with access to your account can see all the emails you've sent and stored, and send them to anyone they want. See our pages on malware,  phishing and protecting your online accounts for more information on how you may be the target of online fraud and what to do about it.