Often a personal data breach does much greater damage to an organisation’s reputation and credibility than a large fine from the ICO. I came across a very sad story recently about a personal data breach at the end of 2020 that demonstrates the pain a simple data breach can cause.

A City Council sent out an email asking for views on one of their new support services and enquiring how they could improve it. This type of email is currently very commonplace as the modern way for a company or service to gain valuable feedback from its customers which it can then use to promote and improve its offerings and services.

Unfortunately, this email was sent out to hundreds of disabled children, their families and carers. Their names and email addresses were viewable to all the other recipients. This is a very easy mistake to make, but one that should be well known to most of us by now. Sending an email to everyone on the list shows the addresses of all the other recipients if sent as a single email listing all recipients in the ‘Copy’ (CC) field. The problem is easily avoided by using the ‘Blind Copy’ (BCC) function instead, which would prevent each recipient from seeing anyone else’s email address other than the sender.

The Council was put in an embarrassing position by the breach; while actively seeking to engage with its service users and improve its service, it only succeeded in angering and upsetting the people it should have been supporting. And, of course, it was obvious what they needed to do to improve their service.

What is striking about this story is the degree of pain a simple data breach can cause.  One parent said that she felt the breach was indicative of the Council’s ‘lack of concern and indifference’ to the plight of disabled children in the city; and she believed that the incident ‘illustrated the disdain’ the council felt for the children and their families. So, rather than making their customers feel cared about and their views respected, the Council concerned made the families feel disregarded and unloved. Rather than promoting themselves as a responsible organisation, they lost the trust and respect of their customers.

It is always important to bear in mind who the data subjects are and the nature of the information being handled.  In this case, the data subjects were disabled children and the information shared revealed their vulnerabilities.  Carrying out a risk assessment (called a Data Protection Impact Assessment) for any project using this type of data and for this type of data subject could have identified email as a potential risk.  DPIAs are mandatory under the UK-GDPR for certain projects, such as those involving the use special category data. Sometimes human error is unavoidable, but it can be minimised by complying with the data protection legislation.  Seen by some as a box ticking exercise, when companies have in place effective data protection policies and procedures in the workplace and invest in regular staff training, the number of accidental data breaches is reduced.

Regular reports from the ICO on the number and types of data breaches being notified to them show that there are consistently more non-Cyber security breaches than actual Cyber ones. Across most sectors, the most common types of non-Cyber related incident are: data emailed to the wrong recipient, data posted or faxed to the wrong recipient and failure to use the blind copy facility on email addresses.

Some email tips:

1. Consider whether the contents of your email need to be encrypted.  This depends on nature of the content (does it contain personal data?) and whether or not the recipient is on the same secure server as you. If in doubt, check with your Manager or IT department.

2. If you want to send an email to a recipient without revealing their address, use a single email per recipient or the Blind copy (BCC) feature.

3. Never forward an email without first scrolling down to check the contents. (Sometimes emails are forwarded several times and earlier messages may contain personal data or sensitive information).

4. Do not keep emails indefinitely without a business reason. The company’s data retention policy should specify how long emails should be kept. Remember to check your ‘Sent’, ‘Draft’ and ‘Deleted’ folders as well as your ‘Inbox’.

5. Before sending an email, double check the address field. The ‘auto fill’ feature can cause emails to be sent to the wrong recipient with a similar name. It is possible to disable this feature in your email system, but this is not always practical.

The UK-GDPR requires that companies demonstrate their accountability for data protection, which means keeping records of training and having written procedures which are reviewed on a regular basis and any changes communicated to staff.  See our Home page to find out how we can help you to meet the UK-GDPR Accountability requirements.