Looking at the statistics published about the causes of data breach, email breaches always stand out as the most common. It has been widely publicised how easy it is to have a data breach using email. In spite of this, another mistake has been made by an organisation sending bulk emails and failing to use the BCC facility correctly.

HIV Scotland sent out an email to over one hundred people, including patient advocates representing people with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. The personal data breached allowed assumptions to be made about the HIV status or risk of the recipients.

The Information Commissioner’s Office (ICO), the data protection regulator for the UK, has investigated the breach and found that the charity’s email procedures did not meet required standard of GDPR. Staff training was found to be inadequate, incorrect methods were being used to send bulk emails and the overall data protection policy was also found to be inadequate.

Moreover, the ICO discovered that the charity was aware seven months before the breach of the short-comings of their bulk email distribution method and had procured a more secure system for sending messages, but they had continued to use the less secure method.

A fine of £10,000 has now been announced by ICO for HIV Scotland.

The ICO said:
“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.”

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Tips for using email securely

1. Consider whether the contents of your email need to be encrypted. This depends on nature of the content (does it contain personal data?) and whether or not the recipient is on the same secure server as you. If in doubt, check with your line manager or IT department.

2. If you want to send an email to a recipient without revealing their address, use a single email per recipient or the Blind copy (BCC) feature. Take care using the BCC feature; should the recipient reply to the email using ‘reply all’, their message would be seen by the other recipients and their email address would be visible.
3. Never forward an email without first scrolling down to check the contents. (Sometimes emails are forwarded several times and earlier messages may contain personal data or sensitive information).
4. Do not keep emails indefinitely without a business reason. The company’s data retention policy should specify how long emails should be kept. Remember to check your ‘Sent’, ‘Draft’ and ‘Deleted’ folders as well as your ‘Inbox’.

5. Before sending an email, double check the address field. The ‘auto fill’ feature can cause emails to be sent to the wrong recipient with a similar name. It is possible to disable this feature in your email system, but this is not always practical.

The UK-GDPR requires that companies demonstrate their accountability for data protection, which means keeping records of training and having written procedures which are reviewed on a regular basis and any changes communicated to staff. See our Home page to find out how we can help you to meet the UK-GDPR Accountability requirements.