To BCC, or not to BCC – ICO fine answers the question

HIV ScotlandCompanies which fail to provide adequate training to staff on bulk email practices – which can lead to unsecure use of carbon copy (CC) and blind carbon copy (BCC) methods – have been warned to shape up or face potential action by the data protection regulator.

The threat follows an Information Commissioner’s Office investigation into the email practices at HIV Scotland, an organisation that works to make policy and advocacy changes for people living with HIV in Scotland, PrEP users, and people at risk of HIV.

HIV Scotland’s Community Advisory Network (CAN) brings together patient advocates from across Scotland to represent the full diversity of people living with HIV. Individuals sign up to be part of this network to help support and inform the work of the charity and receive semi-regular email updates, usually surrounding one of their quarterly meetings.

Having identified its online mailing/database programme as a key organisational priority in April 2019, in June 2019 HIV Scotland made a decision to procure a MailChimp account.

The procurement took place in July 2019. Over the following months a number of lists held by HIV Scotland were
migrated to MailChimp to provide the necessary functionality for bulk messages to be sent in a more secure manner.

However, at the time of the incident, in February 2020, the CAN list was not one of those which had been migrated so the charity sent the email using Microsoft Outlook, to 105 individual members.

But instead of using the BCC feature, the email used CC feature, showing the email addresses of all intended recipients to all that received the email; 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.

Two recipients contacted HIV Scotland, which then reported itself to the ICO.

The regulator’s investigation found shortcomings in the charity’s email procedures, including inadequate staff training and incorrect methods of sending bulk emails.

It also found that despite the charity’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure method seven months later.

The charity has now been hit with a £10,000 fine, issued under the Data Protection Act 2018 for infringements of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.

Head of ICO regions Ken Macdonald said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Related stories
Email gaffe leaks thousands of tenants’ sensitive data
Child sex abuse inquiry fined £200,000 for data misuse
Glos cops cuffed over leak of sensitive child abuse data
Banged to rights: CPS guilty of losing child abuse data
You’re nicked: Humberside cops hit by £130k data fine
Bungling Crown Prosecution Service gets £200k fine