Latest updates - last updated 30 August 2023
30 August 2023 - This guidance was published.
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
- Must refers to legislative requirements.
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
This approach only applies where indicated in our guidance. We will update other guidance in due course.
At a glance
- Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them.
- You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails (emails that you send to multiple recipients).
- You should train staff about security measures when sending bulk communications by email.
- You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy (BCC). This helps ensure you are not sharing personal information with other people by mistake.
- If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email.
Note: In this guidance, sensitive information may include, but is not limited to, special category information. Whether information is sensitive can depend on the context and you should consider what impact it would have on people if there was a breach. For example, financial information or information that might be used to commit ID fraud would be sensitive information for these purposes.
☐ We recognise that email addresses can be personal information.
☐ We train all staff on using CC (carbon copy) and BCC when sending emails.
☐ We have assessed what measures we need to implement. We have taken into account the nature of the information and the potential security risks, while also balancing the costs of implementation against the benefits of state of the art options.
☐ We use additional security measures or alternatives to email when sending sensitive or confidential information.
☐ We regularly review relevant policies, test our measures and, where necessary, improve them, to ensure they remain effective.
☐ If we use a third party to send emails on our behalf, we ensure they also implement appropriate technical and organisational measures in line with legal requirements for controllers and processors.
- Is an email address personal information?
- What are CC and BCC for?
- Can we use BCC?
- What are our legal obligations?
- What security measures should we use?
- What are the alternatives?
- What about staff training?
- What else could we consider?
- When and how do we report breaches?
At the ICO, we’ve seen hundreds of personal data breach reports where a sender has misused the ‘BCC’ field.
This guidance explains what to consider before you send out bulk emails.
While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. If you are sending any sensitive personal information, you should use alternatives to BCC.
If you are able to identify a living person, whether directly or indirectly, from it, then an email address is personal information.
An email address which clearly relates to a particular person is personal information. For example, if it is in a format such as [email protected] it will reveal the name of the person who will receive the email. Our guidance on “What is personal data?” explains in more detail when a person is identifiable.
Some email addresses can reveal more information about someone, such as where they work (if it is a corporate email address).
Remember that even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive information about them.
In 2019, an NHS trust sent bulk emails about an art competition to their patients.
They had extracted the addresses from their patient record system and manually copied them into the ‘To’ field of the email, instead of the ‘BCC’ field. This disclosed the addresses of all recipients to each other.
The staff member attempted, unsuccessfully, to recall the messages.
The fact the email was directed to patients of the clinic revealed sensitive information about the recipients (that the recipients were active patients of the trust), even though the contents of the email (promotion of an art competition) did not disclose any personal or sensitive information.
When you use carbon copy, all those in the ‘To’ field and the ‘CC’ field can see each other’s email addresses. You may use this to inform the recipient that other relevant people are aware of the email.
When you use BCC, all those in the ‘BCC’ field can’t see each other’s email addresses. You may use this to copy in someone discretely or send a bulk email with a large mailing list. However, forgetting to use BCC, frequently leads to the accidental disclosure of all the recipients’ email addresses.
You might use BCC with other measures if the personal information you’re sharing isn’t sensitive and there’s little risk. For example, if you have general information, such as an internal newsletter, and you wish to avoid ‘Reply all’ responses.
However, it is important to remember that depending on the nature of the organisation or the newsletter, knowing who has received it may reveal sensitive information about the recipients.
In February 2020, a charity sent an email containing an agenda for an event they were running to 105 members of a HIV advisory board.
Despite the organisation procuring an email automation platform in order to secure emails, the migration to the new platform was incomplete. This resulted in a staff member manually adding email addresses to the CC field, instead of the BCC field.
65 of the 105 email addresses clearly identified recipients, with two recipients contacting the charity to highlight the incident.
Whether or not special category information was disclosed, we found sensitivities around the nature of the charity’s work meant there was potential for the incident to cause recipients distress. Therefore, the organisation should have treated the information in the same way as special category information. One recipient stated they were able to identify at least four people, one of whom was a previous sexual partner.
Amongst other findings, we considered the reliance on ‘BCC’ for communication to this group of people was not an appropriate security measure to manage these communications and they could have adopted other methods.
We fined the charity for this breach.
You have a legal obligation to keep any personal information you process secure, which includes emails and email addresses.
You must assess which technical and organisational security measures are appropriate to protect personal information.
You must ensure the measures you implement:
- protect information from being modified or changed (integrity);
- prevent people who are not authorised to view it from accessing it (confidentiality); and
- ensure only people who it is intended for can access it (availability).
If you are using a third party to send emails on your behalf, you must ensure that they follow your requirements. You must also consider whether the third party is itself a controller or processor of the personal information.
Guidance for controllers and processors is available on the ICO website.
The types of measures you choose to implement will depend on the nature of the information. You can consider the costs of implementation in making your choice. However, you must use a risk-based approach to ensure you are protecting personal information appropriately and take account of best-practice (state of the art).
Failing to implement adequate measures will lead to operational and reputational risk. But far more importantly, can lead to serious risk of harm for people whose information is not protected. While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. If you are sending any sensitive personal information, you should use alternatives to BCC.
If you accidently use CC instead of BCC, you will disclose recipients’ email addresses. Even when using BCC, remember that the content of the email remains visible. Unencrypted emails are like postcards - they can be read at any one of the servers they pass through. BCC only protects addresses from view and offers no protection for information contained within the email content.
You must assess which appropriate measures to put in place. You could:
- set rules within your email system to provide alerts and warn email senders when they use the CC field;
- set a delay, allowing time for you to correct errors before the emails leave the organisation’s system;
- turn off the auto-complete email function to prevent the system suggesting email addresses in the recipient's box; and
- use the National Cyber Security Centre (NCSC) email security check tool.
Ultimately, it is your responsibility to determine what technical and organisational measures are appropriate, taking into the account the nature of personal information you are communicating and the risks involved.
As part of your organisational measures, you should train all staff about the security risks of sending bulk communications by email. Effective staff training can reduce the risk of human error. This training could cover:
- guidance on when bulk emails are appropriate;
- best practice, secure alternatives to email; and
- how to recall emails sent in error.
You should review your organisation’s relevant policies and guidance on a regular basis. In particular, when you are making substantive changes to your organisational structure, or you are planning to implement new systems or policies that affect your approach to security.
Email has increasingly become the default choice for efficiently sharing information, but this doesn’t always make it the best choice.
You should only send personal information to those who require it and, as far as possible, minimise the amount you send.
When sending emails to multiple recipients that contain or relate to special category information, you must consider using other secure methods. For example, using bulk email services, mail merge or secure data transfer services. Your email service provider should provide further information on how to use mail merge. For example, Google and Microsoft provide support on how to use mail merge.
A personal data breach can cause harm to people. Staff must report unauthorised disclosures to those responsible for data protection within your organisation. You should foster a supportive culture to encourage prompt reporting. By handling any incident effectively, you will reduce the risk of harming people.
You should have robust internal reporting processes to allow key staff to quickly:
- risk-assess the seriousness of the situation;
- notify people where necessary; and
- report to the ICO, if required.