Beware the use of “blind copy” aka “bcc” as a data protection compliance tool

19th September 2023

Data protection law compliance is an iterative process rather than a one-off exercise. I like to think of it like health and safety…. when you discover that the ladder can slip in certain conditions, next time your risk assessment requires the ladder to be lashed to the building. And the same is true of data protection breaches.

In the case of mass emailing, be it for announcements, marketing campaigns or service messages, it has become received wisdom that in order to protect personal data, that the blind copy (“bcc”) function should be used rather than the copy function (“cc”.)

In the simplest terms this means that any particular recipient of the email cannot see who else has received the email and therefore cannot make inferences about the other recipients based on the content of the email. Using “bcc” also has the added bonus of concealing email addresses from any other recipient who may cheekily and unscrupulously “scrape” the “to” or “cc” fields in order to gather a database of legitimate email addresses in order to send their own unsolicited messages.

However, a recent series of what the ICO has described as “business blunders” (although the author notes in each case that it was actually a public authority that messed up!) using this technique has led to the ICO publishing updated guidance about the use of “bcc” and to strongly advise against it where the content of the emails contains special category or other sensitive personal data.

The ICO guidance says

“According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019. The education sector is the biggest offender for BCC breaches, with health in second, then local government, retail and the charity sector rounding out the top five.”

A particularly unfortunate example recently occurred where users of NHS Highland’s HIV services were copied on emails to each other, publishing their HIV positive status to all the other recipients of the email.

All organisations processing personal data are required to have technical and organisational measures in place to secure personal data. The ICO suggests that

  • organisations should tend towards using bulk email service providers with software features that send unique personalised mails rather than using desktop email clients when sending mass emails; and
  • additionally train staff on the risks associated with clumsy use of email clients.

Some other tips that we have come across along the way are:

  • Some IT service providers can introduce algorithms that question users whether they really intended to “to” or “cc” individuals if that is an unusual pattern of behaviour; and
  • Introducing a short delay before transmitting emails to give the sender a chance to recall an incorrectly addressed email when the sinking feeling hits just after pressing “send.”

Now that the ICO has set-out its thoughts on the matter, all organisations processing personal data should be very cautious about relying on “bcc” as a technique for securing personal data. The ICO is unlikely to be sympathetic to organisations which make errors having failed to heed that advice. Following the health and safety example through: the first time is an accident – unforeseen and forgivable, but any subsequent incidence of the same or highly similar issue will be viewed as non-compliant, careless and possibly negligent and be adjudged more harshly if enforcement action is considered.