BLS Stay Compliant

News and Information

A white envelope signalling emails is inside a blue square as the email app logo. This is on a blue and white background.

Common email mistakes that cause data breaches

How can we avoid them?

Data breaches occur often and every organisation has a legal responsibility to keep data secure; this includes emails and email addresses. Incorrect use of emails is one of the leading causes of data breaches. 

Using emails to communicate is a staple part of any business and millions are sent every day worldwide. But did you know even simple email mistakes can class as major data breaches? 

The ICO states that, if you can identify a living person from data, it is identifiable information. 

Email mistakes can also cause data data breaches because email addresses often contain personal information such as an individual’s name or their workplace and as a result, using CC instead of BCC can be classed as a data breach.

If the name of a person is identifiable in a group of receipients who receive an email sent for a specific subject, this too can result in data breaches, since it reveals the individual is involved with that group or subject and depending on the nature of the email, this can include very sensitive information involving that person.

In 2019, an NHS trust was fined following the sending of an email regarding an art competition to patients using the ‘to’ field instead of ‘BCC’. The ICO found that the trust had failed to safeguard information by the patients being recognised as members of that NHS trust through the email addresses viewable by all recipients.  

There are also risks where the wrong email has been used, meaning the wrong individual receives the information. This could mean sensitive or personal information may end up being sent to the wrong person and there are many reports of serious data breaches where this has occurred.  

So what can we do about it? 

  • The legislation states that organisations must ensure that organisational and technical security measures are in place and appropriate before sending out bulk emails, including when using BCC or CC.
    This may take the form of a Data Protection Impact Assessment.
  • All staff should know how to correctly use email address fields and best practice when sending out any email.
    Usually, this is done through induction and refresher training.
  • It should be clear to those receiving emails what their data is used for and how it is stored.
    Ensuring data protection and privacy related policies are up to date and easily accessible is the best way to approach this.
  • Third parties must follow your requirements and organisations should consider whether using a third party for their email communication is the most appropriate and relevant method of communication for their processes. This may mean creating a third party data sharing agreement.
  • You must ensure relevant processes are in place to ensure correct use of emails and that these processes are easily accessible and acknowledged and followed by all members of staff. This is likely to be achieved through organisational policies and adequate training. 

More information is available on the Information Commisoner’s Office (ICO) website regarding email security.

Whilst emails are a part of most organisation’s day to day working processes, the implementation and knowledge of data protection legislation may not be. This is where BLS Stay Compliant can help, to ensure your organisation is compliant with legislation and incorporating best practice working procedures to avoid data breaches, or to prove you have acted appropriately should one occur. If we can be of any assistance, please do get in touch.


Share this post