UK ICO publishes guidance on sending personal data in bulk emails

Misuse of the blind copy email function features consistently in list of top 10 non-cyber breaches.

On August 30, 2023 the Information Commissioner’s Office (ICO) published new guidance to help organizations understand the law and good practice around protecting personal information when using the blind carbon copy (BCC) function to send bulk emails. This follows a catalogue of business errors earlier this year.

Last month the ICO reprimanded two Northern Irish organizations for disclosing people’s information inappropriately via email. In March the ICO issued a reprimand to NHS Highland for a “serious breach of trust” after a data breach involving those likely to be accessing HIV services.

According to the ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019. The education sector is the biggest offender for BCC breaches, with health, local government, retail and the charity sector also in the top five.

“Where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”

Mihaela Jembei, Director of Regulatory Cyber, ICO

While BCC can be a useful function, the ICO said, “it was insufficient on its own to protect people’s personal information”. The ICO is asking organizations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers.

The new guidance is part of the ICO’s commitment to help organizations get email security right. However, Mihaela Jembei, ICO Director of Regulatory Cyber, warned, “where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us”.

Email best practices for organizations

Under data protection law, organizations must have appropriate technical and organizational measures in place to ensure personal information is kept safe and not inappropriately disclosed to others.

ICO best practice includes the following guidelines:

  • If organizations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services, so information is not shared with people by mistake.
  • For non-sensitive communications, organizations that choose to use BCC should do so carefully to ensure personal email addresses are not shared inappropriately with other customers, clients, or other organizations.
  • Organizations should also consider having appropriate policies in place and training for staff in relation to email communications.

Failing to implement sufficient measures could lead to both operational and reputational risk and as well as a serious risk of harm to those whose sensitive personal information is unprotected.

For further advice on email best practices, view the ICO’s full email and security guidance.