You must not, under any circumstances whatsoever, use email to send restricted University data, or data that is classed as "sensitive" under the Data Protection Act, unless the email - and any attached files containing restricted data - is/are encrypted.
Encrypting e-mail isn't as easy and straightforward to implement as we'd like. Although there are two well established standards in existence (S/MIME and PGP) and a number of "those in the know" make use of one or the other, both have a number of implementation difficulties making it currently impractical to consider on an institutional basis.
Sending restricted University data or personal data by email should be viewed as a last resort. If possible, either encrypt files and store them on a secure local (dept/faculty) or central file server and ensure that only those who should have access do have access, or encrypt the file and upload to FLUFF with the retention period set as low as possible (the default is 7 days). The first option is preferable because it minimises the number of copies of the data in existence. FLUFF is useful for making files available to those who don't have access to a common file store (other parts of the University or external bodies - there is a "fluff for guests" facility).
Do not, under any circumstances, use Hotmail, Googlemail or other external email service of for storing restricted University data.
If an email contains restricted or personal/sensitive data then the email must be encrypted. If one or more attached files contain restricted or personal data then these must be encrypted as well: