The article below was recently published in the compliance news section of the Privacy and Data Protection Journal. Email usage continues to present the highest risk to MVDC in terms of personal data breaches. This incident serves as a useful reminder for us all to regularly review the technical and organisational measures that are in place to ensure the security of personal data:
Regulator issues warning after Scottish charity reveals personal data in email error
The ICO is urging organisations to revisit their bulk email practices after failures by HIV Scotland led to a £10,000 fine. The Scottish charity breached Articles 5(1)(f), 32(1) and 32(2) of the UK GDPR when it sent an email to 105 people which included patient advocates representing people living in Scotland with HIV.
All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.
The ICO’s investigation of the February 2020 incident found shortcomings in the charity’s email procedures including inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy.
It also found that despite the charity’s own recognition of the risks in its email distribution and the procurement of a system that enables bulk messages to be sent more securely (via mailchimp), it was continuing to use the less secure bcc method seven months later.
2 Comments
So, should we be aware of a problem with BCC in e-mails?? The report is unclear.
Agree with Ron.. is Bcc not good practice any more?