Background
The Blind Carbon Copy (Bcc) function can be a useful tool when sending emails, as the recipients cannot see who else the email was sent to. It is often relied on when sending emails to a group of individuals so as not to reveal the recipients to one another (as would be the case if the Carbon Copy (Cc) field was used).
While the Bcc function helps protect personal data by concealing email addresses, its improper use, as seen in several ICO rulings, can result in significant data breaches. Organisations should consider whether additional technical safeguards, such as automated email distribution platforms, may offer more robust solutions in alignment with Article 32 (Security) of the UK GDPR. However, although useful, it is a risky way to send bulk emails as human error can often lead to the recipients’ email addresses being mistakenly entered into the ‘To’ or ‘Cc’ field rather than the ‘Bcc’ field, resulting in the unintended disclosure of the recipients’ email addresses (personal data) which can lead to regulatory action being taken in the most serious of cases.
This is an error the ICO has seen on many occasions. In May 2022, when issuing a reprimand to the Probation Board for Northern Ireland, the Information Commissioner commented, “[I do not] consider the use of Bcc for group emails to be secure enough considering the group of individuals involved and the risk of using Cc inadvertently”. Full details of this case can be found here.
Overview
The sixth data processing principle requires personal data to be processed securely. Article 32(1) and 32(2) of the UK GDPR require controllers to implement a level of security appropriate to the risk of processing personal data. This not only applies to technical solutions to mitigate risks, but also to organisational measures like staff training. Accordingly, it is important that staff at least understand the risks associated with using the Bcc function when sending bulk emails.
The sending of bulk emails for marketing purposes is covered by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended, while the UK GDPR lays down the requirements for consent for PECR compliance.
Risks
In Q2 (April to June) of 2024, 3,064 incidents were reported to the ICO. Data emailed to the wrong recipient was the most common incident type reported, making up 17% of the incidents reported in Q2 (Note: figures may not wholly align as the Bcc incident may have been just one aspect of the reported incident/breach. The full report can be found here.
In terms of outcomes, 455 ended in informal action, 5 resulted in no further action and 10 were not, at the point of publication, allocated for consideration. This means that 2 were considered substantially serious enough to warrant further investigation and these may yet result in formal regulatory action being taken, for example a fine.
The reputational risk for organisations is significant when this type of error occurs as it suggests the sending organisation has little regard for the personal data being processed, and that adequate security measures have not been implemented.
Regulatory Action
The ICO and EU Data Protection Authorities, have consistently taken regulatory action against organisations misusing the Bcc function. Such breaches underscore the need for strict procedural compliance and technical solutions to mitigate these risks. Below are some examples of the regulatory action taken by the ICO over recent years.
In July 2018, the Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 by the ICO for sending a bulk email to 90 people whose email addresses were included in the ‘To’ field of an email rather than the Bcc field. 52 of the email addresses included the full name of individuals and the nature of the email communication meant it was possible for some victims of abuse to be identified. The ICO flagged several issues including a lack of guidance and training for staff.
In September 2021, the Ministry of Defence (MOD) was fined £350,000 by the ICO for a serious data breach in which 245 email addresses of individuals seeking relocation from Afghanistan were exposed. The breach occurred when the ‘To’ field was mistakenly used instead of the ‘Bcc’ field, revealing the personal data of vulnerable individuals. The ICO found that the MOD had failed to implement adequate organisational measures, such as proper training for its staff, leading to a violation of Article 5(1)(f) of the UK GDPR.
In October 2022, Central YMCA was fined £7,500 by the ICO for a personal data breach involving the disclosure of 270 email addresses. A program coordinator mistakenly used the ‘Cc’ function instead of the ‘Bcc’ function when sending an email to invite individuals to a nutrition talk. The email addresses included special category data, as the recipients were part of a program for individuals living with HIV. Central YMCA had policies in place, but the lack of proper monitoring and implementation of technical solutions led to the breach, violating Articles 5(1)(f) and 32(1) and 32(2) of the UK GDPR.
Reducing the risk
Using the ‘Bcc’ function is not an appropriate method to send bulk emails because errors can easily be made that put organisations at risk of regulatory action depending on the nature and content of the communication.
In addition to using email marketing platforms, organisations should establish internal verification procedures, such as a ‘second pair of eyes’ review before sending bulk emails. This approach, implemented by the MOD after its breach, can significantly reduce human error. Furthermore, email systems should be configured to warn users when the ‘To’ or ‘Cc’ fields are used instead of ‘Bcc. These platforms send emails to each recipient separately, thereby reducing the risk of inadvertently disclosing personal data in the ‘To’ or ‘CC’ fields.
The following advice is offered to organisations that choose not to use an email marketing platform, and instead continue to utilise their own email system for sending bulk communications:
- Assess any proposed bulk email communication activity on a case-by-case basis, taking into account the nature of the email communication, the category and number of recipients, and the purpose of the communication.
- Consider the type of recipient and whether they would be content to have their email addresses divulged to the other recipients. For example, work colleagues or members of a small association who are known to one another.
- If the use of the Bcc function is considered to be the most appropriate method or circulation, then the composed message should be double-checked before it is sent, perhaps by another member of staff, to avoid human error.
- Consider technical solutions, such as setting up rules on the email system to either delay the sending of emails or warn when ‘Cc’ is being used, forcing users to double-check that messages are correct before being sent.
- Ensure that policies, procedures and guidance covering bulk email transmissions are documented and followed. Conduct audits as appropriate.
Further advice and guidance is available on the ICO’s website: Email and security | ICO
Conclusion
Implementing appropriate technical and organisational measures can help reduce the risk of emails being sent inappropriately. Such measures should include the adoption of policies, procedures and guidance that set out the organisation’s approach to data protection and, in particular, how to deal with bulk emails.
The technical and organisational measures implemented by a controller may include procuring an email marketing platform, which could require the organisation to undertake a Data Protection Impact Assessment (DPIA) to understand and mitigate any risks associated with processing personal data in this way.
Ultimately, when this type of breach occurs, it is the reputational harm that will be most damaging to the organisation, insofar as individuals may no longer trust the organisation to process their personal data appropriately and securely. Organisations must ensure that their policies, procedures, and guidance are not only documented but actively implemented. The use of real-time automatic warnings and audit trails within email platforms can help flag potential breaches before they occur. For smaller organisations in particular, this can have a significant impact on revenue streams.
