The Information Commissioner’s Office has released updated guidance on email security

Organisations should avoid using blind carbon copy (BCC) options in email software when sending sensitive personal information, as users often mistakenly use the carbon copy (CC) or To fields instead, the Information Commissioner’s Office (ICO) has said.

In updated guidance, the ICO recommended methods such as bulk email and mail merge services, which are designed to send a separate email to each recipient or other more secure alternatives. It said that organisations should train staff in BCC and CC sending and ensure that third parties sending emails have appropriate measures in place.

Email addresses are personal information if they can be used to identify the recipient, such as when they contain names. The ICO said it has seen nearly a thousand personal data breaches resulting from senders using CC or To rather than BCC since 2019, with organisations in the education sector committing the most BCC breaches, followed by health and local government.

“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved,” said Mihaela Jembei, the ICO’s director of regulatory cyber. “This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”

Earlier this year, the ICO reprimanded NHS Highland for forwarding an email from another organisation to 37 HIV service users without using BCC. This meant the recipients could see all the email addresses used, which in most cases included part or all of their names, with one recipient able to identify at least four people, including a former sexual partner. The health board avoided a fine of £35,000 under the ICO’s preference of helping public sector organisations to improve rather than draining their budgets.

More recently, the ICO reprimanded two organisations in Northern Ireland, the Patient and Client Council and the Executive Office, for sending emails using To and CC to people with experience of gender dysphoria and institutional abuse, respectively.

The ICO guidance said that BCC can be useful in low-risk situations, such as forwarding an internal newsletter to all staff so as to block recipients from using Reply all if mistaken use of CC or To would have few consequences. But even this could be risky depending on the organisation or the topic of the newsletter.