Incorrect use of email ‘BCC’ could result in fines for businesses

Privacy watchdog warns accidental misuse of ‘blind carbon copy’ on emails has led to data breaches

Schools and the NHS risk fines if they copy people into emails incorrectly, Britain’s privacy watchdog has warned. 

The Information Commissioner’s Office (ICO) has put organisations on notice over the accidental misuse of “blind carbon copy” – or “BCC” – on emails, which has led to a spate of data breaches.

Schools and universities are the biggest offender for email errors, the ICO said, followed by health services and local government. 

It comes after the ICO investigated a “catalogue of business blunders” where staff have inadvertently listed email recipients in the “to” or “CC” address fields, when they should have been kept anonymous.

Sending an email using BCC hides the addresses of the intended recipients from other people, but the ICO said it was routinely misused. It advised organisations to instead use alternatives, such as mail merge tools or professional bulk email software.

The watchdog said it had received more than 1,000 reports of email data breaches involving BCC since 2019. Emails sent to the wrong recipient accounted for nearly a fifth of all incident reports to the regulator last year.

Such accidents could have damaging consequences. 

In 2022, the ICO issued a fine of £78,400 to the Tavistock and Portman NHS Foundation Trust for sending out the personal email addresses of 1,781 adult gender identity patients. The breach happened as the trust tried to invite patients to contribute to an art competition. Within 30 minutes it had been leaked online.

The regulator rebuked the trust for having no technical safeguards in place for this “very predictable human error”.

In March, the ICO also issued an official reprimand to NHS Highland after it disclosed the email addresses of 37 people who were accessing HIV services. One recipient was able to identify four others on the list from their email address. 

An inquiry into historic child abuse in Northern Ireland, meanwhile, sent a newsletter to 251 people revealing their email addresses, making it possible to infer they were victims.

Mihaela Jembei, a director at the ICO, said: “Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.

“Where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”

The data regulator has also been investigating a major leak from the Police Service of Northern Ireland. The police force blamed human error after it issued a response to a Freedom of Information request with a spreadsheet revealing the names of 200 officers and staff, information that could be used to target them.

The ICO has the power to issue fines of up to £17.5m for the most serious data breaches. However, it has said it will use “discretion” when issuing penalties to the public sector, only fining organisations in the most serious cases.