It should not be relied upon
+ {% endcall %} + +Talk to your call centre staff to find out why people call – this is probably why they are anxious. For example:
+ +If someone needs to do something, tell them. For example:
+ +Your MOT expires on 28 September – get an MOT
+ +The deadline for tax returns is 31 January – complete your self assessment tax return
+ +Your passport photo didn’t meet our standards – take a new photo
+ +When someone does something important, send a security check to the people who might be affected. For example:
+ +When someone wants to sign in, send a 2-factor authentication code to the number you have on file. For example: Your GOV.UK verification code is 123 456
+Use radio buttons to ask the user how they’d like to be contacted:
+ +When the user selects a contact method, dynamically prompt them for contact details (if you don’t already have them)
+ +Ask the user to pick one primary contact method. Users don’t like duplicate notifications.
+ +You can still contact them by other contact methods if appropriate.
+ +Collect these using the patterns in the Government Service Manual and the Hackpad.
+ +Tell the user that you will send them notifications. For example:
+ +++We will email you about this petition, and nothing else. You can unsubscribe at any time
+
Don’t explain the whole process – just tell the user what will happen next.
+ +Don’t send a message for steps that aren’t important to the user. For example, you don’t need to tell the user about background checks unless they fail one of the checks.
+ +Say ‘Dear’, not ‘Hi’ – some people prefer ‘Hi’ and some prefer ‘Dear’, but only the people who prefer ‘Dear’ care enough to complain when we say ‘Hi’
+ +It should not be relied upon
+ {% endcall %} + +A more pragmatic approach to information security
+ +In the past, government has taken a risk-averse approach to information security. This resulted in services that were unhelpful and hard to use.
+ +We’re switching to a more pragmatic approach to information security – one that balances a user’s needs to be kept informed and kept safe.
+ +In the past, for example, our blanket no-links policy meant we were telling people to “search ‘the UK government’ and click the first result” rather than just telling them to “visit www.gov.uk”. Other services had a blanket policy of not sending any information at all, resulting in obtuse messages like “You have a message in your online account. Sign in to see the message.” (no sign-in link included).
+ +Start by writing the message you want to send. Don’t worry about the information security aspect just yet – write the message you want to convey as clearly and directly as possible.
+ +We have design patterns and content guidance to help you write clearly and convey the right information at the right time.
+ +Once you have a message which meets user needs, look at it in relation to the risks below. Use this framework to decide if you need to change the message in order to keep the users safe.
+There are 3 main risks involved in sending notifications by text message, email or letter:
+ +For some messages, the recipient would be unhappy if someone else accidentally saw the contents – for example, the results of a recent medical test.
+ +This is a privacy issue – in this case the unintended recipient isn’t trying to steal money or identity information.
+ +To address this risk, don’t reveal the important information in the subject line or opening sentence, or ask the user to sign in to see the information in full. More about this below.
+ +It’s possible for hackers to intercept messages. Text messages, emails and letters can all be intercepted.
+ +It’s also possible for a criminal to gain access to someone’s entire email inbox, phone messages or paper files. Email accounts can be hacked, phones and paper files can be stolen, left lying around or picked out of the rubbish.
+ +In both cases, criminals are looking for information they can use to commit fraud. To address this risk, don’t send payment details, ID numbers or any other information that can be used for fraud. More about this below.
+ +In this scenario, a hacker sends lots of messages pretending to be from an official government service, hoping to trick someone into revealing information of value.
+ +This is known as a ‘phishing attack’.
+ +To address this risk, don’t send requests for personal information of any kind, unless the request is directly connected with a transaction. More about this below.
+If you think the recipient might be upset if someone accidentally saw the message contents, either:
+ +Remember that even the sender ID also reveals information. For example, don’t set your sender name as ‘STI clinic’.
+ +To reduce the risk if messages are intercepted, hacked or stolen, don’t send information that can be used for fraud – either now or in the future:
+ +Payment details can be used for fraud straight away. Other information requires a bit more work. For example, an attacker might use one piece of information to get hold of another, eventually gaining enough information to commit fraud. Or a criminal might use information from several old messages to steal someone’s identity.
+ +To reduce the risk from phishing attacks, don’t send requests for personal information of any kind, unless the request is directly connected with a transaction.
+ +It’s OK to send a request for personal information if it’s directly connected with a transaction. Here are two examples of where it would be OK:
+ +The same 2 rules above apply to links, too:
+ +There are additional rules that apply specifically to links:
+ +If you want to communicate something, write it in the body of the email. This is more user-friendly. If the information is too sensitive to include in the email body, it’s too sensitive to include in an attachment.
+ +If you need to send someone a file, make the file available within your service, then link to it.
+ +Criminals often use attachments to conceal viruses, spyware and other kinds of malware. We want people to be cautious about opening attachments.
+ +Start your message by addressing the user. For example, Hi Alice Smith or Dear Bob Jones. Including this extra piece of information makes phishing more difficult.
+ +There are several technical approaches to preventing phishing – SPF/DKIM, DMARC and TLS. You must use them.
+ +SPF/DKIM and DMARC make sure your emails get delivered, whilst phishing and spam email gets filtered into junk mail.
+ +TLS makes sure that no-one can intercept your emails.
+These guidelines are the minimum requirement. If you want to take more stringent measures for your service, that’s fine.
+ +Just make sure you’re balancing your users’ needs to be kept informed and kept safe.
+