Continuing a theme from last month’s digest (see “Question of the month – Help! We have used To/CC rather than BCC in an email and it has revealed sensitive personal data – what should we do now?”), the ICO has produced new guidance in relation to sending bulk emails.
The guidance covers issues raised in the two enforcement notices, such as the fact that even if an email itself does not contain sensitive information, the sharing of email addresses with others could reveal sensitive information about an individual (e.g., if email addresses are accidentally shared where recipients are active patients of a hospital department).
The guidance mentions the importance of not just relying by default on using BCC to protect privacy and instead considering whether other methods, such as mail merge, bulk mail systems or even sending separate emails are more appropriate. The guidance also stresses the importance of training staff on security when sending bulk email and on how to recall a message if it is sent in error.
Where emailing is outsourced to a processor, questions regarding the security of email addresses should be part of any initial and ongoing due diligence.
The full guidance can be found here.