Email is an essential communication tool for organisations. Unfortunately, it is commonly the source of a number of data protection errors which can cause personal data breaches.
Common errors that create risk
Below are some examples of common email errors:
- Email sent to incorrect recipient due to human error.
- Email sent to incorrect recipient due to the message service predicting the recipients email address based on the first characters entered.
- Attaching an incorrect document to an email.
- Forwarding an email chain to an unintended/unauthorised recipient.
- Email sent to multiple recipients using ‘To’ or ‘Cc’ fields* instead of the ‘Bcc’ field **.
*Cc – Allows everyone whoe receives the email to see the email addresses of all other recipients.
*Bcc – Enables you to send an email to multiple recipients without revealing the email addresses of others contained within the recipient list.
In addition, using ‘To’ or ‘Cc’ allows the recipients to ‘Reply all’ which presents further risks to disclose additional personal information by the recipients themselves – risks they would not have been subject to if the ‘Bcc’ function was used.
Errors are not always harmless
Often is it wrongly assumed that these email errors are harmless and that nothing can or should be done about them. However, even if there is no financial loss suffered, sometimes these errors can result in people being concerned or even distressed that their personal information has been inadvertently disclosed. That’s why it’s prudent when these errors occur, to take action, as recommended below.
Recommendations that avoid risks
- If you need to send an email to multiple recipients, the ‘Bcc’ field should be used.
- Ensure the appropriate recipient has been selected before sending an email.
- Ensure the appropriate attachments etc have been selected before sending an email
Actions to take
- You should send a follow up email to the incorrect/unauthorised recipient(s) that
- Asks them to delete the email (and any attachment(s)); and
- Advises them that they do not have the right to use the email address(es) (or access any attachments) sent to them; and
- Asks them to confirm to you that he/she has delete the email (and any attachment(s))
- You should send an email to the affected individual(s) (i.e. whose email address and any attachment(s) has been sent to an incorrect/unauthorised recipient) that:
- Explains what has happened
- Inform them what you have done/will do
- Offer an apology
- If you think that there will be any risk – regardless of severity (e.g. low/medium/high/severe) – to someone (anyone) as the result of an email sent to an incorrect/unauthorised recipient, you must notify the ICO.