What’s this all about?
The UK data protection regulator the Information Commissioner’s Office (“the ICO”) recently issued “Guidance on Email and Security” (“the Guidance”), which focuses on emails sent to multiple recipients (bulk email). This article looks at this in brief.
Why the need for guidance?
According to the ICO “Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.” Therefore, the ICO has issued this guidance “to help organizations get email security right.”
What does the Guidance say in a nutshell?
According to the ICO:
- “Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them.
- You must assess what technical and organizational security measures are appropriate to protect personal information when sending bulk emails (emails that you send to multiple recipients).
- You should train staff about security measures when sending bulk communications by email.
- You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy (BCC). This helps ensure you are not sharing personal information with other people by mistake.”
As the ICO also says, in the guidance “sensitive information may include, but is not limited to, special category information. Whether information is sensitive can depend on the context and you should consider what impact it would have on people if there was a breach. For example, financial information or information that might be used to commit ID fraud would be sensitive information for these purposes.”
The Guidance in a bit more detail
Edited highlights of the Guidance include the following:
- “Is an email address personal information?
If you are able to identify a living person, whether directly or indirectly, from it, then an email address is personal information.
Some email addresses can reveal more information about someone, such as where they work (if it is a corporate email address).
Remember that even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive information about them.”
- “Can we use BCC?
You might use BCC with other measures if the personal information you’re sharing isn’t sensitive and there’s little risk. For example, if you have general information, such as an internal newsletter, and you wish to avoid ‘Reply all’ responses.
However, it is important to remember that depending on the nature of the organization or the newsletter, knowing who has received it may reveal sensitive information about the recipients.
You should assess whether using other secure methods is more appropriate, such as bulk email services or mail merge services. Google and Microsoft provide support on how to use mail merge.”
- “What are our legal obligations?
You must ensure the measures you implement:
- protect information from being modified or changed (integrity);
- prevent people who are not authorized to view it from accessing it (confidentiality); and,
- ensure only people who it is intended for can access it (availability).”
- “What security measures should we use?
While BCC can be a useful function, it’s not enough on its own to properly protect people’s personal information. If you are sending any sensitive personal information, you should use alternatives to BCC.
If you accidently use CC instead of BCC, you will disclose recipients’ email addresses. Even when using BCC, remember that the content of the email remains visible. Unencrypted emails are like postcards – they can be read at any one of the servers they pass through. BCC only protects addresses from view and offers no protection for information contained within the email content.”
- “What are the alternatives?
You must assess which appropriate measures to put in place. You could:
- set rules within your email system to provide alerts and warn email senders when they use the CC field;
- set a delay, allowing time for you to correct errors before the emails leave the organization’s system;
- turn off the auto-complete email function to prevent the system suggesting email addresses in the recipient’s box; and,
- use the National Cyber Security Centre (NCSC) email security check tool.”
- “What about staff training?
As part of your organizational measures, you should train all staff about the security risks of sending bulk communications by email. Effective staff training can reduce the risk of human error. This training could cover:
- guidance on when bulk emails are appropriate;
- best practice, secure alternatives to email; and,
- how to recall emails sent in error.”
- “What else could we consider?
When sending emails to multiple recipients that contain or relate to special category information, you must consider using other secure methods. For example, using bulk email services, mail merge or secure data transfer services. Your email service provider should provide further information on how to use mail merge. For example, Google and Microsoft provide support on how to use mail merge.”
What are the takeaways?
Poor data protection email practice is a serious issue. The ICO states that where it sees “negligent behaviour that puts people at risk of harm [it] will not hesitate to use the full suite of enforcement tools available to [them]” – the ICO also refers in case studies that it provides in the Guidance to having fined organizations who have behaved in this way.
Organizations should therefore consider doing the following:
- Check their policies and procedures to make sure that they address such email issues; and,
- Train staff on good data protection email practice.
Bear in mind that the Guidance is by no means exhaustive of all possible issues, and guidance is only guidance – only a court has the final say on what the law means.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The ICO guidance “Email and Security” can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 347 2365