Data protection law compliance is an iterative process rather than a one-off exercise. I like to think of it like health and safety…. when you discover that the ladder can slip in certain conditions, next time your risk assessment requires the ladder to be lashed to the building. And the same is true of data protection breaches.
In the case of mass emailing, be it for announcements, marketing campaigns or service messages, it has become received wisdom that in order to protect personal data, that the blind copy (“bcc”) function should be used rather than the copy function (“cc”.)
In the simplest terms this means that any particular recipient of the email cannot see who else has received the email and therefore cannot make inferences about the other recipients based on the content of the email. Using “bcc” also has the added bonus of concealing email addresses from any other recipient who may cheekily and unscrupulously “scrape” the “to” or “cc” fields in order to gather a database of legitimate email addresses in order to send their own unsolicited messages.
However, a recent series of what the ICO has described as “business blunders” (although the author notes in each case that it was actually a public authority that messed up!) using this technique has led to the ICO publishing updated guidance about the use of “bcc” and to strongly advise against it where the content of the emails contains special category or other sensitive personal data.
The ICO guidance says
“According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019. The education sector is the biggest offender for BCC breaches, with health in second, then local government, retail and the charity sector rounding out the top five.”
A particularly unfortunate example recently occurred where users of NHS Highland’s HIV services were copied on emails to each other, publishing their HIV positive status to all the other recipients of the email.
All organisations processing personal data are required to have technical and organisational measures in place to secure personal data. The ICO suggests that
Some other tips that we have come across along the way are:
Now that the ICO has set-out its thoughts on the matter, all organisations processing personal data should be very cautious about relying on “bcc” as a technique for securing personal data. The ICO is unlikely to be sympathetic to organisations which make errors having failed to heed that advice. Following the health and safety example through: the first time is an accident – unforeseen and forgivable, but any subsequent incidence of the same or highly similar issue will be viewed as non-compliant, careless and possibly negligent and be adjudged more harshly if enforcement action is considered.
An Advance Subscription Agreement (ASA) is a financial arrangement between an investor and a company, often a startup or early-stage business. Under this agreement, the investor pays in advance for shares that will be issued at a later date, typically during the company's next funding round.
Read moreFor many founders, securing a strong customer base is central to their company’s long-term value. But what happens when the business is sold, and a key contract allows customers to walk away? This is where Change of Control provisions come into play. Too often overlooked during negotiations, these clauses can have serious ramifications for both your company's valuation and your future business prospects. Here's why founders should carefully consider these provisions.
Read moreIn this article, we are considering negotiated contracts rather than those which one party imposes on another by way of clickwrap or similar methodologies.
Read more