ICO cautions against use of BCC in bulk emails

The ICO said that instead of using BCC, alternatives such as bulk email services, mail merge or secure data transfer services should be preferred.

The regulator has also launched new guidance to help organisations understand the law and good practice around protecting personal information while sending out bulk emails.

The call for avoiding BCC comes after the ICO reprimanded tow Northern Irish organisations for disclosing personal information via email and reprimanded NHS Highland for a data breach.

According to ICO data, failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019.

The ICO also recommended organisations consider having appropriate policies in place and training for staff in relation to email communications.

Mihaela Jembei, director of regulatory cyber at the ICO, said: “While BCC can be a useful function, it’s not enough on its own to properly protect people’s personal information.

“We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers.

“If organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.

“This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”