Sending bulk emails? New ICO guidance published to limit email data breaches

Recent email data protection issues include:

• The Patient and Client Council being reprimanded by the ICO for sending an email to 15 members of a Gender Identity Liaison Panel using the “carbon copy” functionality allowing the recipient to infer that all the other recipients had experienced gender dysphoria;
• HIV Scotland being fined £10,000 by the ICO after sending an email to 105 people using the carbon copy functionality which, again, allowed the other recipients to make assumptions about the other individuals’ HIV status or risk;
• The Tavistock & Portman NHS Foundation Trust being fined £78,400 after emailing 1,718 gender identity clinic patients in relation to an art competition using the “to” field meaning that the recipients could assume that the other recipients were active patients of the Trust’s gender identity clinic. It should be noted that the ICO was minded to issue a fine of up to £784,000 for this breach, but that it was reduced by 90% having taken into account the circumstances of the breach and the public role of the Trust.

Recent guidance published by the ICO highlights the risks of using blind carbon copy (BCC) when sending out bulk emails, and addresses some of the alternatives which may pose less of a risk.

What are the data protection issues surrounding bulk emails?

BCC is an email function which allows the sender to circulate an email to a selected group of recipients all at once. However, this recent guidance issued by the ICO tells us that incorrect use of BCC emails is, perhaps unsurprisingly, one of the top data breaches reported to the ICO each year, with nearly one thousand breaches reported since 2019.

The particular problem lies where personal or sensitive information is being circulated. There is a risk that if a recipient is added to a BCC group in error, they could receive any and all emails sent to that group that are not intended for them.

The ICO has also highlighted that even when sensitive nor personal information are  being circulated, other considerations to bulk emails should be afforded, such as ensuring that email addresses within a CC group are not being shared with other recipients inappropriately. When using CC, email addresses are visible to other recipients. An email address which clearly identifies a person (or even where they work) is considered ‘personal information’, so senders should be vigilant when using this function.

What is the guidance?

Mihaela Jembei, ICO Director of Regulatory Cyber, has asked that organisations consider this new guidance when sending out email communications. The guidance has been broken down into ‘must’, ‘should’ and ‘could’ categories, making it user-friendly and easy to understand. Organisations:

• Must assess what technical and organisational security measures are appropriate, for example, setting delays before an email is released to allow time to correct errors, or inputting alerts to flag which field is being used;
• Should include in the assessment consideration of whether using another secure method (such as bulk email services or mail merge services or secure transfer services) is more appropriate rather than simply using BCC;
• Should train staff about security measures when sending bulk communications by email, as this will help to reduce the risk of human error; and
• Could send emails to individual recipients when sending to a small group.

Helpfully, the guidance also explains what might be considered ‘sensitive information’. This will depend on the context and senders should consider what impact it would have on people if there was a breach. Providing training on email data protection issues to staff members will assist when making these decisions prior to sending out any communications.

It is also important to remember that all data breaches must be reported to those responsible for data protection within each organisation. When a breach is handled promptly, it helps to reduce the harm to the subject of the breach.

If you need legal advice on the impact of this guidance, data breaches or data protection as a whole, please contact our specialist commercial lawyers.