Security tools
The technology we choose to use is not neutral with regard to guaranteeing our own rights or the rights of others. Every individual has a duty not to reveal the privacy of others without their consent. The University as a whole, as a Public Administration, has a duty to ensure that in the exercise of its public powers it does not unlawfully infringe upon the rights of those it serves.
The reality is that we use technology without questioning whether it's appropriate from a security standpoint, nor does it respect the rights of others or our own. We're used to giving in, telling ourselves, "Everything is public, and there's nothing we can do to stop it; after all, I have nothing to hide." We don't ask ourselves (and we're obligated to protect other people's privacy) what data about other people I upload to "my cloud," which is "someone else's computer," when I save a phone number on my mobile device, when a photo is backed up, and especially when I tag someone on social media... even if I don't post it.
Privacy, however, is a value intimately related to the free development of the individual's personality, which Article 10 of our Constitution considers it the foundation of our society, and that the GDPR It aims to re-establish appropriate terms, allowing for the harmonious use of technology while respecting the free development of the individual. Guidelines are provided here to enable this use of technology.
Email is insecure. Unless encrypted, you should never include anything in an email that you wouldn't include on a postcard. You also shouldn't assume the sender is who they claim to be unless the email is electronically signed. Email can never replace official notifications in administrative proceedings. At most, it serves as a reminder that the notification is available through another means (usually, notification by appearance at an electronic office).
Email-based communications work by relying on a vast chain of computers (servers) that pass the message around until it reaches the final recipient and is deposited in their inbox. The idea was to be able to send a message from anywhere to a specific inbox; that's what it was created for, and it does that very well. Therefore:
Unless the email service is provided directly by a public administration or a non-profit organization, emails are either promotional for other paid services or their business model is based on collecting user data to sell marketing campaigns. The best-known examples use the latter model (generating profiles for automated individual decisions, which is a risky practice under the GDPR). Among the former, there are often companies that pride themselves on offering privacy in their communications, such as Mailfence (Belgian), Tutanota (German), Post (German, no translation), or Protonmail (Swiss).
From a privacy and regulatory compliance standpoint, the use of the former (those with a business model based on data collection) is inadvisable, while the latter is recommended. Even if, hypothetically, a company dedicated to the first model (analyzing data for marketing) agrees with a government agency to offer its service without analyzing data for profiling, and therefore we have no reason to suspect they will do so (i.e., they agree to provide the service using the promotional model), it would still be promoting a data sharing model, which does not seem very aligned with the objectives that public administrations should pursue. In this scenario, the legal correctness of the measure can be defended in terms of strict data protection, but not in terms of public policy, which cannot be entirely discretionary.
Encryption doesn't fully solve the problem of providers using data for marketing and automated decisions based on these profiles. This problem can only be addressed by knowing that neither the sender nor the receiver uses these "mail carriers," since these services, based solely on their knowledge of the sender and receiver, establish probabilities about the content. This is enough for them to "tag" the user. Nevertheless, cryptography somewhat mitigates the problem, at least in the years when the encryption remains unbroken (all encryption eventually breaks due to technological evolution, so if encrypted messages are stored, it will eventually be possible to process and decrypt them, extracting information relevant to user profiling).
In addition to using secure platforms, such as those recommended above, for personal email, the following programs are recommended for institutional (and personal) email, allowing both signing and encryption. Signing proves that the email originated with us (the recipient using one of the following techniques will see a green bar indicating that the sender's identity has been verified). Encryption ensures that only the intended recipient can read our message (we will need to know their public "key," which these programs handle without complicating things for the user). Three solutions, well-explained and documented online, follow: