The ICO has recently published new guidance about bulk email communications following a number of data breaches caused by the incorrect usage of CC and BCC (carbon copy and blind carbon copy). 

Emails sent to the wrong person or emails copied rather than blind copied to customers/parents are the most common data breaches seen and are often because someone is rushing or under pressure. The guidance advises training staff on when to use CC and when to use BCC when sending emails.  We would advise reminding staff to take a little bit of extra time to check what names are in the TO/CC/BCC fields before pressing the Send button.  The guidance has a reminder that an email address is personal data as it is possible to identify a living person from it, either directly or indirectly.

The controller has legal obligations to keep any personal information processed secure, and this includes emails and email addresses. You must assess which technical and organisational security measures are appropriate to protect personal information. 

The guidance covers:

• Security measures
• Policies
• Training of staff
• Sending emails using special category information, such as EHCP information, behaviour reports, allergy information.

It then considers what you should do if someone does make a mistake and sends personal data to the wrong person - everyone in an organisation should know what to do if they cause a data breach or become aware of a data breach.

Mihaela Jembei, ICO Director of Regulatory Cyber, said:

“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.

“While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.

“This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.

ICO Guidance Announcement: ICO News: ICO publishes new guidance on sending bulk communications by email

The full guidance: ICO: Email and Security
This article should be read alongside a previous article: