Using Email: A Guide for Anti-Violence Organizations

La plupart des organisations antiviolence utilisent quotidiennement le courriel pour communiquer directement avec les survivantes ou coordonner les services avec d’autres organismes communautaires. Les recommandations suivantes portent sur la sécurité des communications par courriel.

Do not restrict emailing with survivors. Even though email communication has risks, declining to email survivors is not the solution. Let the survivor determine the means of communication that can best accommodate their ability, access, and needs.

If a survivor contacts your organization through email, your response should be to:

• Include information about the risks related to email communication and discuss email safety and privacy with the survivor, as well as how they can delete the messages they have sent and received if they choose to and how to clear out their deleted folder if they choose to.
• Ask if there are safer ways that you can communicate. For some, it may be the only method available to get help, but for others, a phone, video call, or in-person meeting may be safer.
• If email communications continue, check in periodically to see if email is still a safe and preferred method of communicating.

Do not store survivors’ names and email addresses in email address books. Most email organizations will autofill the rest of the address for you after you type the first few letters of the name. To prevent sending emails to the wrong person, make sure to double-check the address before hitting send.

If you print an email exchange, pursuant to your organization’s privacy policies, you can shred the copy of the email conversation when appropriate to do so. Also, under the organization’s privacy policies, when the appropriate time under the applicable privacy laws has elapsed and the survivor’s records are to be destroyed, electronic messages such as emails need to be destroyed including purging the “sent” and “deleted” folders as well.

Internal communication about survivors should be limited to necessary communications as the emails become part of the survivor’s record at the organization. Before emailing a co-worker about a survivor, consider other options such as discussing the matter with your colleague in person or over the phone.

The organization’s privacy policies should address when an employee communicates via email with third parties to convey confidential information about a survivor. Privacy laws that apply to the organization must be followed. In addition, the potential risks related to email communication should be considered even when the organization has permission from the survivor to release information to a third party via email communications. Only communicate with a third party about the specific information that the survivor has consented to share. Organizations must have a written and time-limited release from the survivor before sharing any information.

As part of the release process, ensure that survivors are fully informed of the email process and the related security risks so that they can make an informed decision. Anti-violence workers should be prepared to discuss their organization’s process to ensure that email communications are secure and any potential risks are made clear. Risks may include that you cannot control what the recipient does with the email once they receive it and that they may send a reply to you in an unencrypted format.

Email products are available that offer secure encrypted email but there are drawbacks to some of these products. The majority of these products (even many of those marketed as encrypted) have access to the content of the emails sent and received by account holders. If the companies can access the content, then the communication may not be regarded as truly private or secure.

Stronger email protection is “zero knowledge encryption,” which makes the data being sent back and forth unreadable to the software company that hosts the email. It is important to know that while this kind of security adequately protects survivor’s data (as long as spyware is not on the device), it also complicates the organization’s process of sending and receiving email, so staff will need training on how to use “zero knowledge encryption” software.

Being creative in your use of disclaimer language may help get the message across that email communications are not secure. The language below can be included in emails with a survivor as part of the informed consent process.

Communications between [organization name] and survivors are protected by Provincial /Canadian [privacy law]. [Organization name] does not reveal or share survivor communications without a survivor’s written permission except where required to do so by mandated reporting. However, we want to make sure you are aware of the privacy risks related to email communication:

• Email is not a secure way to communicate.
• Emails can be easily seen by other people without your knowledge or consent. Because of that, please limit the personally identifying information you send in emails to only what is necessary.
• [Organization name] staff can talk to you about ways to increase your privacy and safety online.

To support your development of safe tech use policies, WSC has developed a Use of Technology Policy Template Guide for Women’s Shelters and Transition Houses (PDF, in English only).

Technology-Facilitated Gender-Based Violence (TFGBV) is part of a continuum of violence that can be both online and in-person. If you or someone you know is experiencing TFGBV, you are not alone. You can use sheltersafe.ca to find a shelter/transition house near you to discuss options and create a safety plan. You don’t need to stay in a shelter to access free, confidential services and support.

Adapted for Canada with permission from NNEDV’s Safety Net project, based on their resource Organization’s Guide to Email.