VAHTI 2/2006 Electronic Mail-handling Instruction for State Government
Ministry of Finance is responsible for steering and development of information security in the Finnish Government and has set up The Government Information Security Management Board VAHTI for cooperating, steering and developing Government information security.
The results of VAHTI cooperation are also widely utilised in local government, private sector and in international co-operation as well, besides the Finnish Government.
Members of VAHTI represent various administrative sectors and levels of public administration as well as broad information security experience. The group is well known for its information security publications, guidelines and instructions. A couple of broad studies have acclaimed VAHTI as the best working organisation of crossgovernment ICT and information management coordination in Finnish Government.
This document is a translation of the instruction issued by Ministry of Finance for Finnish State Government in 2005 about secure electronic mail handling. The instruction was prepared under supervision of VAHTI Board.
The instruction is primarily directed at the Ministries, State Agencies and institutions, but it is applicable in other organisations as well. The recommendations are meant as the foundation of electronic-mail policy and of practical operating instructions. The instruction concentrates mainly on the relationship between the State employer and the employee. An employee means a person employed by an authority irrespective of the nature of the employment relationship.
The starting point for the examination consists of directly related valid legislation.
The Finnish Constitution regulates the protection of privacy, the freedom of expression and the right of access to information. The Penal Code lays down a sanction for a secrecy violation if one interferes with the messages of another. The Personal Data Act (523/1999) regulates the processing of personal data. Personal data means any information on a private individual and on his personal characteristics or personal circumstances, where these are identifiable as concerning him or the members of his family or household. The Act on the Openness of Government Activities defines inter alia an official document.
The Act on the Protection of Privacy in Working Life (759/2004) contains very clear provisions for example on the reading of electronic mail if the employee is prevented from performing his duties. One should familiarise oneself with the Act in its entirety. Also the Act on the Protection of Privacy in Electronic Communications (516/2004) contains so central provisions that one should familiarise oneself with it in its entirety; the chapters most central with regard to electronic mail are Chapters 1–3 and 5.
In addition to provisions in Acts, instructions on the handling of electronic mail have been issued by the Ministries. For example, the public instructions and recommendations issued by the Ministry of Finance can be found in the Internet site of the Government Information Security Management Board (www.vm.fi/vahti (in Finnish), www.ministryoffinance.fi/security (in English)).
In spite of the legislation and recommendations, the prevailing situation is not unproblematic. It is left for each organisation to decide for example the following matters:
- what kind of external or internal communications of the organisation and what services may the official electronic-mail address be used for
- are communications restricted or encrypted in some manner
- is the use of the electronic-mail address allowed for private messages of the employee
- what is the procedure with regard to the contents of messages when the person is temporarily or permanently absent.
The recommendations presented include the creation of an electronic-mail practice policy and instructions on the use. There is a need to emphasise the obligation of secrecy and non-exploitation. The use of electronic mail shall be prepared in co-operation with the personnel, and they shall be informed of the procedures applicable. The recommendation presented include the creation of an electronic-mail practice policy and instructions on the use. There is a need to emphasise the obligation of secrecy andto restrict the use of personal electronic-mail addresses to certain functions only.
A special issue worth taking into account is so-called spam. It is the obligation of the organisation to filter electronic mail, because the share of spam may be even 90 percent of the traffic. Electronic mail is used also to spread malicious programmes for criminal purposes like scams. It thus forms a significant threat to information security.
The instruction is appended with models for the filtering of electronic mail, a confidentiality agreement, a confidentiality notification and a consent for the retrieval of electronic-mail messages.