How Child Protection Services is maintaining data security and privacy with SecuMailer

Photo by Edi Libedinsky on Unsplash

Meint Post

22 May 2024

Child Protection Services, part of the Dutch Ministry of Justice and Security, required a top notch secure email solution that would not impact its employees and its clients in their way of working. CPS had tried out a competing product using the old fashioned web portal approach and encountered many difficulties in making this work in their complex social interactions. In the end they ditched the portal solution in lieu of SecuMailers advantages; secure email is delivered straight in the inbox of the recipients whilst maintaining the highest level of GDPR and eIDAS security.

Customer: Child Protection Services

In a few sentences, please tell us why this initiative is important for data security and three big takeaways that you’d like the reader and audience to know.

This initiative is important because it demonstrates that security and privacy can be maintained even in very delicate and highly sensitive situations where multiple parties are involved in the communication.

3 big takeaways:

  • Secure Email can be made fully compliant with the GDPR
  • Secure Email can be used for highly sensitive information if supported by a well thought out standard (eIDAS standard for protecting medical information via secure email)
  • Data minimization leads to better data security and privacy guarantees

Briefly describe any barriers to developing this data security and privacy initiative.

  • Secure email with medical information needs to be protected by using 2FA for sender and recipient.
  • Personal data of EU citizens cannot be processed without extra security measurements in the USA, due to Schremms II.
  • Due too the complex social interactions involved it was not acceptable if the recipients had to make a significant effort to open the email.
  • Due to GDPR it is advised to avoid extra copies of emails in portals or cloud (to comply with the data minimalization principle).

What is the impact of the initiative on data subject privacy and the proportion of data subjects affected?

All employees of Child Protection Services and their clients are using the SecuMailer secure email solution to communicate with regards to ongoing cases.

The privacy of all data subjects is fully protected during the communication of the cases. No data leaks have been reported.

Provide 2-4 specific examples and metrics demonstrating how this privacy program or initiative has enhanced the organization and its bottom line.

0 data leaks reported (emails delivered to wrong recipient)

Compliant with the highest data security and privacy requirements of the Ministry of Justice and Security

Integrated with the ministries highly secure communications network, integration with CISCO ESA gateway.

Implemented data labelling for message routing and security uplift

In a few sentences, please explain what data security and privacy risks are reduced by this initiative.

By securing the automated emails the following privacy risks are reduced:

  • No emails are send to the wrong recipient
  • No sensitive information is revealed by email to persons that are not entitled to this information
  • No emails were processed on USA located systems, so no dependency on the privacy shield.
  • No emails were sent to insecure mail servers
  • This all leads to the conclusion: The customer has not suffered any dataleaks due to her secure email program and therefore all fines for the GDPR are avoided

By using secure email technology instead of web based portals to inform the recipient of his/her case:

  • No extra copies of the test results are created
  • No data concentration is created

Provide specific examples of how the data security and privacy initiative has been integrated into the organization.

Specific user groups and information labelling policies where implemented at Child Protection Services that allowed a fine grained routing policy for GDPR email, highly sensitive/confidential emails and non-critical emails. Employees did not require any training. During go live and subsequent weeks no impact on CPS help desk.

Better with Amazon Web Services

SecuMailer uses AWS Lambda serverless computing to perform its SaaS services. Because AWS Lambda avoids the usage of permanent physical servers there are no digital traces left when processing emails. With every email several lambdas are executed, none of which leave any digital traces behind. AWS Lambda works very well with encryption, be it via encrypted environment variables or via AWS Security Manager, which ensures that all data, whilst being processed, remains fully confidential, a very important aspect for Child Protection Services. The integration of Identity & Access Management (IAM) policies ensure that lambdas run with minimum privileges required for getting the job done. This in itself ensures a stronger data security posture because only authorized system components can access data sources within the platform.

Implementation:

Onboarding with SecuMailer is done by the following steps:

  • Buy your solution on AWS Marketplace
  • Follow your implementation instructions ( 30 minutes- 2 hours work)
  • Get personal workshop to integrate alle privacy measures also in your organization policy
  • Start sending out all your emails secure and fully compliant with GDPR and eIDAS

Background information SecuMailer:

SecuMailer is a private company. We provide our customers with a SaaS solution to send confidential information by secure email.

SecuMailer was started in 2017 by Yvonne Hoogendoorn CIPP/e and Meint Post CISSP / ISSAP

SecuMailer is fully compliant with the GDPR and certified for eIDAS , ISO 27001:2002, NTA 7516 and has the ECSO-label ( European Cyber Security Organization).

SecuMailer is available on the AWS Marketplace.

SecuMailer is one of the founders of the Dutch regulation NTA7516 for secure email with personal medical information. This regulation combines elements of the GDPR, The eIDAS and the Dutch medical laws

Lees verder

How to Securely Send Large Files via Email

Most of the email our customers send are regular messages to their customers. Sometimes, however, a large file is sent, and nothing is more annoying than the message: the email could not be delivered because the message is too large. SecuMailer has a common limit of 10 MB, but sometimes this is not enough.

10 questions about NTA 7516

With the publication of the NTA 7516 on May 15, 2019, a field standard has been created for sending personal health information by email. Healthcare providers will have to take measures to comply with this standard.