ICO publishes new guidance on sending bulk communication by email

August 31, 2023

The Information Commissioner’s Office has issued a warning to organisations to use alternatives to the blind carbon copy (BCC) email function when sending emails containing sensitive personal information, following several high profile data breaches by organisations.

The warning accompanies new guidance from the ICO to help organisations understand the law and good practice around protecting personal information when sending bulk emails.

The ICO says that the critical importance of using appropriate methods to send bulk communications is emphasised in its recent enforcement action. In August 2023 the ICO reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. Further, in March the ICO issued a reprimand to NHS Highland for a “serious breach of trust” after a data breach involving those likely to be accessing HIV services.

According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019. The education sector is the biggest offender for BBC breaches, with health in second, then local government, retail and the charity sector all in the top five.

The ICO has set out four key issues:

  • Under data protection law, organisations must have appropriate technical and organisational measures in place to ensure personal information is kept safe and not inappropriately disclosed to others.
  • Organisations that use and share large amounts of data, including sensitive personal information, should consider using other secure means to send communications, such as bulk email services, so information is not shared with people by mistake.
  • Organisations should also consider having appropriate policies in place and training for staff in relation to email communications.
  • For non-sensitive communications, organisations that choose to use BCC should do so carefully to ensure personal email addresses are not shared inappropriately with other customers, clients, or other organisations.