Return to Sender: Data Breaches and Email Correspondence

Data controllers in both the private and public sector issue and receive large volumes of email correspondence on a daily basis. While email is a valued and effective communication tool, it can be the source of a number of common data protection breaches.

Typically, most data breaches involving email tend to be a result of human error. Unintended email disclosures, depending on the content, can result in a risk to the rights and freedoms of the data subjects affected.

Common errors recently encountered by the DPC

Below are some examples of common errors recently encountered by the DPC:

• Email sent to incorrect recipient due to human error.
• Email sent to incorrect recipient due to the message service predicting the recipients email address based on the first characters entered.
• Attaching an incorrect document or hyperlink to an email.
• Forwarding an email chain to an unintended/unauthorised recipient.
• Email sent to multiple recipients using the ‘To’ or ‘Cc’ fields instead of the ‘Bcc’ field.

Recommendations

• Ensure the appropriate recipient has been selected before sending an email.
• Ensure the appropriate attachments have been selected before sending an email.

When is it appropriate to use Blind Carbon Copy (BCC)?

• Bcc – Enables you to send an email to multiple recipients without revealing the email addresses of others contained within the recipient list.
• Cc – Allows everyone who receives the email to see the email addresses of all other recipients.

If as a data controller you need to send an email to multiple recipients where it is necessary to keep all recipients email addresses private, the ‘Bcc’ field should be utilised.

In addition to the above, using 'To' or 'Cc' allows recipients to 'Reply all' which presents further risks to disclose additional, possibly sensitive, personal information by the recipients themselves. Risks they would not have been subject to if the 'Bcc' function was used. 

If an email is sent to an incorrect/unauthorised recipient, it is recommended that the data controller should Bcc a follow up email to affected data subjects apologising, instructing that the offending email should be deleted, and advising recipients that they do not have the right to further use the email addresses identified to them.

If you determine that there will be a risk, regardless of severity (Low, Medium, High, Severe) to a data subject as the result of such instances (further information in relation to this can be found in our practical guide to data breach notifications), then you are required to notify the DPC under the provisions of Article 33(1), using the DPC’s online breach notification web-form.