Yesterday, August 30, 2023, the UK Information Commissioner Officer (the ‘ICO’), has released updated guidance focusing on responsible handling of personal data in bulk email communications (i.e., emails sent to multiple recipients) (available here).
The ICO clarifies that an email address can be classified as personal data where it directly or indirectly identifies an individual. This includes instances where the email address reveals the recipient’s name, workplace, or even sensitive information, such as affiliations with specific groups. Therefore, it’s crucial to handle email addresses with care to prevent potential breaches of data protection laws.
Using Blind Carbon Copy (BCC) appropriately is as a vital step in maintaining data privacy. Neglecting to use BCC while sending bulk emails can lead to inadvertent data breaches, exposing personal or sensitive information in violation of data protection regulations.
While BCC can be a useful function, it is important to note that relying solely on this function is not comprehensive enough to safeguard individuals’ personal data. For organizations transmitting sensitive personal information electronically, the ICO requires exploring alternatives to BCC. These alternatives include utilizing bulk email services, adopting mail merge methods (with support available from Google and Microsoft), or employing secure data transfer services.
The ICO suggests practical alternatives to enhance data protection when conducting bulk email communications:
- Implement rules in company’s email system to trigger alerts and warnings for users employing the CC field;
- Incorporate a delay mechanism, enabling senders to rectify errors before emails exit the company’s system;
- Disable the auto-complete email function to prevent unintended disclosure of email addresses; and
- Leverage the National Cyber Security Centre (NCSC) email security check tool for added assurance.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.
