YOU are our best defence against information loss and cybercrime.

Royal Mail goes to great lengths to protect customer, colleague and company information. Our IT systems that hold customer information has vast security mechanisms applied to protect it. However, technology only goes so far and our best defence against loss of information is our employees. It is everybody’s responsibility to safeguard information.

As a company we have guidelines to help employees to understand their responsibility for handling information and using equipment. Please read our updated suite of Information Security and Data Protection Policies.

Here are some top tips on how to handle information 

1. Creating Information 

Start with a protective mark. Make sure to classify all information with one of Royal Mail's four classifications; Public, Internal, Confidential and Strictly Confidential to explain how valuable it is, who is authorised to see and handle it and the correct handling procedures. When it comes to choosing a classification, ask yourself how much damage Royal Mail could suffer if the information was lost or stolen. The classifications used are-

PUBLIC: Information that has been created or approved for external distribution. 

INTERNAL:  Information accessible to all or selected staff relating to the on-going business of Royal Mail. Disclosure of this information could cause inconvenience to RMG's business or management, but is unlikely to cause financial loss, liability or material damage to Royal Mail's reputation.

CONFIDENTIAL:  Information is confidential within Royal Mail and protected from external access. Confidential information is personal data or commercial information that has been assessed to be of a sensitive nature and likely, following unauthorised disclosure, to cause material disruption to operational effectiveness, financial loss, legal action, material damage to Royal Mail's reputation or advantage to a competitor. *

STRICTLY CONFIDENTIAL:  Access is restricted to a small number of people and used subject to very strict rules. Information is highly sensitive personal data (special category, data about criminal offences, children's data, Payment Card Industry (PCI) or other financial data, certain identity data, e.g. passports, tax numbers) or other regulated or commercial information assessed to be so sensitive that unauthorised disclosure would cause acute reputational damage to Royal Mail and/or would have a significant effect on the value of the Share Price.*

*The volume of data being classified could impact the classification label e.g. 10 bank account details are classified as ‘confidential’ but 10,000 could be deemed sufficiently sensitive to warrant a ‘strictly confidential’ classification. If you need guidance on a case by case basis then please contact the Data Protection Office

If you’re not sure what classification to assign to a piece of information, please contact the Information Security team.

Similarly, when you receive information, always look for its classification. This will help you to determine how it needs to be handled. If you’re not sure how important something is, ask the person who sent or created it.

2. Share Information Securely

Information in motion makes our Organisation work, however, what you need to know is what you can do to protect that data on the move. Here are some pointers on how to share information securely

• You must only share Royal Mail information using Royal Mail systems, such as email, instant messaging or SharePoint. Other consumer systems like Skype, Gmail, Dropbox aren't as well protected and are regularly targeted by hackers.
• Do not forward work emails to your personal email account.
• If you share confidential or strictly confidential information with a party outside Royal Mail Group you should always encrypt the email or information using the security tools provided by IT.
• Use [CONFIDENTIAL] or [strictly confidential] to encrypt emails sent externally and use MoveIT for sending large sensitive files outside of Royal Mail.

3. Store Information Securely

Prevent a breach - keep your data out of reach. Only store Royal Mail information on Royal Mail servers or devices provided by Royal Mail, like your laptop or mobile phone. A secure, accessible storage location is on your team's restricted access SharePoint site, but make sure to set access permissions to your sites, folders and files so only authorised colleagues can see it.

4. Disposing of Information Securely 

Printed documents that are classified as Strictly Confidential, Confidential and even Internal must be disposed of in a confidential waste bin or shredder. Remember, only documents classified as Public can be thrown into a general recycling bin.

Do not forget about digital disposal! Request confirmation from a supplier on termination of the contract and see our How to Delete Securely for more guidance on deleting your data.

Protecting information also means protecting work equipment such as laptops, work mobile devices and our network.

• Equipment or media should not be left unattended in public places.
• Whenever you leave your desk or workstation unattended, keep a 'clear screen' and 'clear desk'.
• Lock your laptop screen when you are away from it.
• Lock away your laptop if you are leaving it in the office overnight.
• Use a privacy screen when you are travelling and working on your laptop or even in the office if you are working on critical information.
• If you are working remotely, always connect to the Royal Mail network using the Royal Mail VPN.

Printing, Scanning and Photocopying Information

If you are printing Confidential or Strictly Confidential information you must use 'locked print' mode if it's available on the printer. There is also a 'locked scanning' mode. With printers, scanners and photocopiers, don't forget to check you have everything before you leave; something as simple as the paper running out half way through your print job can cause a serious information breach.

Around our buildings

• Your photo ID card is equipment too. Wear it at all times when in the office, and remove it when you leave the building.
• Never let anyone into our premises who isn’t wearing a photo ID card, and watch out for ‘tailgating’, which is when people follow you though security gates.
• Make sure visitors are signed in and visibly wearing a visitor badge. Escort them out of the building when they have finished their visit.

Want to get in touch?

We’re always available to answer your questions or address your concerns about information security and data protection at Royal Mail Group. Simply contact Think Secure.