Back in 2021, HIV Scotland (a charity supporting people diagnosed with HIV and AIDS) was fined £10,000 due to a data breach in which 105 people’s personal dataInformation which relates to an identified or identifiable natural person. was disclosed. From the personal data disclosed in the breach, it was found that assumptions could be made about their HIV status or risk, making it a very serious matter. The cause of said breach? A failure to appropriately use the Bcc (blind carbon copy) function on a group email.
Breaches caused by poor email practices, whether that be sending emails to the incorrect recipient or the accidental sending of group emails without using the Bcc function, are some of the most common recorded by organisations. Unfortunately, incidents caused by human error such as these are very difficult to eradicate completely, however, that is not to say that they cannot be reduced and mitigated.
In this blog we discuss the importance of ensuring proper group email sending practices and the processes that organisations should use to ensure that they are compliant with data protection laws.
When is it important to hide recipient email addresses?
Not every email sent to multiple people requires the email addresses of recipients to be hidden.
We would (hopefully) all agree that a mass marketing email sent to a store’s whole customer base should make use of a Bcc function (or similar), yet an internal message to a group of office staff about a collaborative project doesn’t, but why do we make this distinction? What factors impact our judgement on when a Bcc is better than a Cc? Well, we suggest there are four:
First things first, you must consider the purpose of the email and whether it requires the recipients to be able to see who else received the communication and to communicate with them. If, as in the example above, the email is talking about something requiring collaboration, or discussion between a group of people, it makes sense that everyone be able to see who the email was received by and, more importantly, be able to respond to all recipients so as to maintain transparency and oversight. However, where this is not the case, recipients being able to see who else received the communication is not essential, so hiding their addresses may be appropriate.
You should also consider what the relationship is between all the various recipients of your communication. In the context of a mass marketing email, the recipients do not know each other or each other’s email address and, going back to point 1, there is no reason for them to. In contrast, in the context of a whole company email, the recipients will most likely all know each other or, at the very least, have the name and email address of all staff available to them through other means, meaning that the disclosure of them in an email is unlikely to be problematic.
When determining whether to Bcc or Cc in a group of people to an email, it is vital that you consider the content of it and, more specifically, what the content might reveal about its recipients. In the HIV Scotland case, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) saw the breach as extremely serious because the content of the communication meant that information about the recipients’ health could be inferred or assumed. In this case the ICO stressed that all personal data is important, but the very nature of HIV Scotland’s work meant it should have taken particular care when sending out these sorts of emails.
This is a key factor that must be taken into account each time you send to multiple recipients. Whilst a generic staff announcement won’t reveal anything about its recipients, more specific information or communications that, simply by being sent to someone, reveals something about them (perhaps an email to all trade union members, or to people who are off sick) should make use of the Bcc function to ensure information is not disclosed unauthorisedly. In addition, consideration should also be given to whether the information could cause embarrassment to individuals, for example, an email sent to all team members who haven’t completed some work, or perhaps scored low on a test. In the HIV Scotland case for instance, the ICO highlighted that the breach had “caused distress to the very people the charity seeks to help”.
Ultimately, you should ask yourself this: would the recipients reasonably expect their name, email, and other information inferred as a result of the content of the communication to be disclosed to other recipients? If the answer is no, then you should make sure to hide all email addresses. If not, you are highly likely to end up with some unhappy recipients, a data breach to add to your breach register, and possibly an ICO complaint.
How to hide email addresses
Under data protection legislation, Data Controllers are required to implement appropriate technical and organisational measures to ensure that their processing of personal data is secure. However, as we have said many times before, the exact measures required are not prescribed and it is therefore up to organisations to make their own judgements based upon the nature of the processing, costs of implementation, state of the art etc.
In the case of hiding email addresses, the most simple way of keeping this personal data secure by not disclosing it is to use the Bcc function that is available on any email system. This method is simple, cheap, and easy to use, making it in theory the perfect solution to the mass emailing problem. However, as alluded to above, there is one factor that cannot be accounted for in this method, and that is human error. The fact is that it is all too easy to accidentally Cc rather than Bcc people into an email – everyone’s done it at some point in time, and when you do you won’t be the first, and you certainly won’t be the last.
The problem is that, depending upon the circumstance, this innocent mistake can cost an organisation dearly – HIV Scotland is the perfect example. That is why in its decision in that case, the ICO stated that given the sensitivity of the personal data handled, HIV Scotland should not have been relying on the Bcc function as its method of preventing unauthorised disclosure of recipients’ email addresses, precisely because it is too vulnerable to human error. Instead, the regulator stated, HIV Scotland should have invested in a dedicated mail out system which provides the necessary functionality for bulk emailing without the risk of email address disclosure.
Centralised mailing systems
The use of a centralised mailing system (such as MailChimp, HubSpot, Dot Digital etc.) to send bulk emails is beneficial for a number of reasons, not just the prevention of any unauthorised disclosure of recipients’ details to other recipients:
As such, all organisations that send out bulk emails on a regular basis should consider investing in such a tool. However, it is important to remember that when implementing any new software or tools that will be used to handle personal data, it is recommended that a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) is conducted. In addition, it is important to do your research when considering which third party to engage with by conducting due diligence on their data protection compliance, particularly if they transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another. data to other countries. If you want to know more about DPIAs, read our blog on this topic.
But what about Bcc?
Although the ICO suggest using external mailing tools or platforms is the best way to avoid a HIV Scotland situation, this may not always be possible or practicable for some organisations; perhaps because they do not bulk email often enough to justify the investment, or simply cannot afford to invest altogether. In lieu of a dedicated mailing system, therefore, organisations may be forced to rely on the Bcc function to send emails to multiple recipients. Whilst as discussed it is impossible to guarantee that human error will not creep in whilst using this method, ultimately, it cannot always be avoided, and there are a number of things your organisation can do to mitigate the risks as much as is possible:
The DPO Centre is one of the largest outsourced data protection resource centres available, working with over 600 clients globally to improve their data protection compliance. To find out how we can help your organisation in its compliance journey, contact us by filling in the form below.
Fill in your details below and we’ll get back to you as soon as possible