The Conservative Party has been forced to report itself to the Information Commissioner’s Office after a bungled mass email has exposed the details of hundreds of other recipients, by using the CC rather than the BCC facility.
On Monday, New Statesman associate political editor at Rachel Cunliffe said she had received an email from Conservative Campaign Headquarters, which listed the email address of all 344 recipients, in contravention of the Privacy & Electronics Communications Regulations (PECR).
She wrote on X: “Did anyone else just get this email, ostensibly from CCHQ, which has CCd rather than BCCd its recipients and thus shared hundreds of personal email addresses?”
Last year, the ICO issued a warning to organisations to use alternatives to the BCC email function when sending emails containing personal information, following a catalogue of blunders at both private and public sector organisations.
The warning coincided with new ICO guidance to help organisations understand the law and good practice around protecting personal information when sending bulk emails.
According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019.
The Tories have already fallen foul of PECR before, when in 2021 an email campaign fronted by then Prime Minister Boris Johnson was hauled up over consent concerns.
At the time, the ICO found that between July 24 and July 31 2019, the party had sent out a total of 1,190,280 marketing emails, but while some were sent with permission the regulator could not determine what that proportion was.
The case resulted in a £10,000 fine; believed to be the first time a party which was in government had been fined for breaching data protection law.
While a fine for this incident is highly unlikely – most cases do not even result in a reprimand – it is highly embarrassing for a party which claims to uphold law and order.
A Conservative Party spokesman told Yahoo News: “We are aware of an issue relating to a conference registration email and are currently investigating the cause of this. We apologise to those affected and have self-reported to the ICO.”
An ICO spokesperson said: “The Conservative Party has made us aware of this incident and we are assessing the information provided.
“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year. Organisations should consider using alternatives to BCC such as bulk email services, mail merge, or secure data transfer services, so personal information is not shared with people by mistake.”
The move coincided with Prime Minister Rishi Sunak delivering a major speech about security in which he claimed the country would be less safe under Labour leader Sir Keir Starmer.
Related stories
HelloFresh scorched for 80m illegal emails and texts
PECR wrecker recruitment firm hit with £130,000 fine
Wheels come off at Halfords over PECR email cock-up
ICO proves even a tiny PECR can be reputation wrecker
Tories spanked by ICO after Boris fails to keep PECR up
Political parties warned to improve data transparency
Political parties urged to come clean on data sources