Update to Advisory Note 01/2023 published in January 2023
The Blind Carbon Copy (Bcc) function can be a useful tool when sending emails, as the
recipients cannot see who else the email was sent to. It is often relied on when sending
emails to a group of individuals so as not to reveal the recipients to one another (as would
be the case if the Carbon Copy (Cc) field was used).
Bcc is sometimes used to ensure personal email addresses are not shared inappropriately
with other people or organisations. However, although useful, it is a risky way to send bulk
emails as human error can often lead to the recipients’ email addresses being mistakenly
entered into the ‘To’ or ‘Cc’ field rather than the ‘Bcc’ field, resulting in the unintended
disclosure of the recipients’ email addresses (personal data) which can lead to regulatory
action being taken in the most serious of cases.
This is an error the ICO has seen on many occasions. Recently, when issuing a reprimand
to the Probation Board for Northern Ireland, the Information Commissioner commented,
“[I do not] consider the use of Bcc for group emails to be secure enough considering the
group of individuals involved and the risk of using Cc inadvertently”. Full details of this case can be found here.
The sixth data processing principle requires personal data to be processed securely. Article 32(1) and (2) of the UK GDPR require controllers to implement a level of security appropriate to the risk of processing personal data. This not only applies to technical solutions to mitigate risks, but also to organisational measures like staff training. Accordingly, it is important that staff at least understand the risks associated with using the Bcc function when sending bulk emails.
The sending of bulk emails for marketing purposes is covered by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended, while the UK GDPR lays down the requirements for consent for PECR compliance.