The department currently enables the use of email comms only in certain cases where it is necessary for user need, but wishes to investigate how this deployment could be expanded
The Department for Work and Pensions is eager to investigate the possibilities of increasing its use of email to communicate with service users.
The department currently enables the use of email only in particular cases where it serves a citizen’s accessibility needs, according to pensions minister Paul Maynard. In these instance, the DWP makes use of tech that allows enhanced security protection.
“DWP utilises technology which allows encryption with most providers of personal email services, such as Gmail or Outlook, helping this stay secure,” he said. “As such, email communication with customers is currently permitted in certain circumstances, for example, where the customer has a reasonable adjustment in place.”
The minister was asked, in a written parliamentary question from Plaid Cymru MP Hywel Williams, whether the DWP planned to make an “assessment of the potential merits of offering secured email as a communications option for his department’s customers upon request”.
In his response, Maynard indicated that the DWP is interested in how it might be able to deploy the technology more widely, beyond the current exceptional uses.
- DWP explores expansion of videocall options for citizen services
- Don’t use BCC to email sensitive information, ICO warns
- ‘DWP is moving away from seeing someone as a benefit recipient – and asking how we can respond to their circumstances’
“The department is keen to utilise the benefits provided by email communication and is currently exploring the possibilities of expanding its use of email to communicate with customers,” he said.
Government guidance for service teams that wish to use email to communicate with users instructs that a dedicated email address must first be created – for example, firstname.lastname@example.org or email@example.com.
“if you need to email your users, you must do it in a way that is reliable and protects them from spam and phishing,” the guidance states. “You should use a specialist service provider for sending emails, and consider using GOV.UK Notify. Your service provider should: send and receive email using Transport Layer Security (TLS), where available; use DomainKeys Identified Mail to sign outbound email; provide a hostname or IP range for you to include in your Sender Policy Framework record.”
The use of email should be subject to regular and automated monitoring and testing designed to ensure reliability of service, officials are advised. Those sending messages must also take their data-protection responsibilities into account.
The guidance adds: “When contacting your users, you must: leave out sensitive information, like bank details; avoid making requests for personal information, like a user’s date of birth; only send links which point to the GOV.UK domain and show the URL in full; avoid including redirects in any links – for example, tracking; avoid sending attachments with emails; include the user’s first name and surname in the body of the email to make phishing more difficult; enable Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop someone spoofing your domain; follow the guidance on securing government email to set up DMARC and TLS on your service.gov.uk domains.”