The data protection risks of sending group email messages

Recently the ICO fined the YMCA £7,500 for sending an email to over 150 identifiable addressees, using Cc rather than Bcc and therefore revealing the identity of the other addressees to the email. The email was addressed to those participating in a programme for people living with HIV and therefore it could be inferred that it was likely they had HIV.

The ICO found the following key areas where the YMCA failed to take reasonable steps to prevent the breach.

  • There was no written policy in place in relation to the sending of group emails
  • They failed to use an email marketing platform which would have reduced the likelihood of a disclosure
  • Completion of data protection training was not monitored
  • There were deficiencies in the YMCA’s data protection training

The starting point for the fine was £300,000 in light of the seriousness of the breach but was reduced to £7,500 on the basis the current public sector approach (preferring working with the public sector to encourage compliance, issuing fines only where they are “truly needed”).

The ICO has produced guidance in relation to sending bulk email. The guidance mentions the importance of not just relying by default on using Bcc to protect privacy and instead considering whether other methods, such as mail merge, bulk mail systems or even sending separate emails are more appropriate. The guidance also stresses the importance of training staff on security when sending bulk email and on how to recall a message if it is sent in error.

Where emailing is outsourced to a processor, questions regarding the security of email addresses should be part of any initial and ongoing due diligence.

The full guidance can be found here.


Don't just take our word for it