Question of the month – Help! We have used To/CC rather than BCC in an email and it has revealed sensitive personal data– what should we do now?

There have been a couple of recent reprimands issued by the ICO in situations where individuals’ email addresses were inadvertently disclosed to other recipients of an email. In the case of the Patient and Client Council, the addresses were special category data, as it was possible to infer health information from the addresses and the context in which they were sent and in the case of the Executive Office, whilst not special category data, the disclosure had the potential to cause significant distress.

In the reprimand against the Patient and Client Council (the Council), the ICO noted and welcomed the remedial steps by the organisation. The Council had contacted the individuals and requested they delete the email and not use the email addresses for any purpose. They had also asked for confirmation that this had been completed. The Council undertook an awareness campaign, which included individual and team meetings. Staff were given a refresher on policies, procedures and responsibilities.

The ICO considered that the use of BCC was not appropriate in this case and that either the emails should have been sent individually or software purchased to assist with sending the email. The ICO set out the following in terms of action needed:

  • The provision of specific guidance on the use of CC and BCC.
  • The communication of the updated policies/procedures etc.
  • Consideration to be given to conducting a DPIA/privacy assessment to assess whether using email and the BCC function is a suitably appropriate communication method where special category data is included or can be inferred.

In the other case, where a much larger list of addresses were shared, the individuals were informed immediately and kept updated, an apology was issued and an offer of emotional support services was made. The organisation in question reviewed its process for sending the newsletter by group email and “Newsletter Desk Instructions” were created to provide guidance on issuing the newsletter by group email. During a handover in management of the organisation, a full review of information management practices was undertaken.

As with any data breach, it is important to tailor your response, to take time to consider the effects of the breach on the individuals involved and take effective steps in mitigation and remediation, rather than taking a one size fits all approach. Looking at the root causes of the breach and questioning the methods you use to secure the sending of emails will help to lower the risk of future occurrences.

The reprimands can be found here.

If you would like some advice on your approach to preventing data breaches by email, please get in touch with your usual contact or email the team at


Don't just take our word for it