Data protection law compliance is an iterative process rather than a one-off exercise. I like to think of it like health and safety…. when you discover that the ladder can slip in certain conditions, next time your risk assessment requires the ladder to be lashed to the building. And the same is true of data protection breaches.
In the case of mass emailing, be it for announcements, marketing campaigns or service messages, it has become received wisdom that in order to protect personal data, that the blind copy (“bcc”) function should be used rather than the copy function (“cc”.)
In the simplest terms this means that any particular recipient of the email cannot see who else has received the email and therefore cannot make inferences about the other recipients based on the content of the email. Using “bcc” also has the added bonus of concealing email addresses from any other recipient who may cheekily and unscrupulously “scrape” the “to” or “cc” fields in order to gather a database of legitimate email addresses in order to send their own unsolicited messages.
However, a recent series of what the ICO has described as “business blunders” (although the author notes in each case that it was actually a public authority that messed up!) using this technique has led to the ICO publishing updated guidance about the use of “bcc” and to strongly advise against it where the content of the emails contains special category or other sensitive personal data.
The ICO guidance says
“According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019. The education sector is the biggest offender for BCC breaches, with health in second, then local government, retail and the charity sector rounding out the top five.”
A particularly unfortunate example recently occurred where users of NHS Highland’s HIV services were copied on emails to each other, publishing their HIV positive status to all the other recipients of the email.
All organisations processing personal data are required to have technical and organisational measures in place to secure personal data. The ICO suggests that
Some other tips that we have come across along the way are:
Now that the ICO has set-out its thoughts on the matter, all organisations processing personal data should be very cautious about relying on “bcc” as a technique for securing personal data. The ICO is unlikely to be sympathetic to organisations which make errors having failed to heed that advice. Following the health and safety example through: the first time is an accident – unforeseen and forgivable, but any subsequent incidence of the same or highly similar issue will be viewed as non-compliant, careless and possibly negligent and be adjudged more harshly if enforcement action is considered.
If you are considering separating from your partner, the process of divorce can seem daunting. You are not alone in feeling like this and the family team at SMB are regularly asked about the process of divorce and mediation. Below we have compiled some of the most popular questions that clients ask us about mediation to help sign post you to your next steps.
Read moreAs the Horizon IT Post Office Inquiry Phase 6 comes to an end, and ever more shocking evidence appears about how sub-postmasters were unlawfully convicted as part of a massive criminal conspiracy, when considering all of the bad actors who contributed to the biggest miscarriage of justice in English legal history, it’s worth remembering that there are also people who fall into the opposite category.
Read moreIn order to thwart threatened (or successfully defend actual) defamation claims, publishing lawyers regularly advise journalist/publisher clients on the proper fulfilment of their journalistic obligations.
Read more