The BCC line

As we commence the new academic term, there are many reasons for which educational establishments will need to send mass communications to various audiences. Since the implementation of General Data Protection Regulation (now the UK GDPR) we have all been mindful of the way in which we use personal data, in particular the way in which we communicate by email. It is accepted within the education sector that communications of a bulk nature should be in sent in a way in which does not identify all of the recipients to the e-mail. For example, historically emails would have been sent with all recipients included on the ‘To’ line or the ‘CC’ line. The risk with that approach was that all of the personal data which was contained within the recipients’ email addresses would be visible and could be used for a purpose incompatible with the reason for which it was collected, and erode the fundamental right to privacy. 

In complying with the UK GDPR, controllers (which includes educational establishments) have to put in place technical and organisational measures to ensure that the personal data that they process is used in a secure and safe way. Many readers will be aware, or have experience of, incidents whereby a communication has been sent inadvertently identifying other recipients when it was not the intention to communicate in that way. One of the methods adopted to communicate in a more secure way is by using the ‘BCC’ line on an email communication. This works to shield the identity of those named on the recipient line from others who are receiving the communication.  As a technical measure, this can be useful when the content of the communication is relatively unremarkable and not of a sensitive nature.  

The recent guidance issued by the ICO highlights the fact that, whilst use of the BCC line can be useful, it is not always going to be an appropriate technical measure. It’s own experience has highlighted that misuse of the BCC line is one of the most common data breaches reported to it. In fact, some doubt that this method is completely impervious to having the veil lifted on the e-mails included, however it is more likely that some detailed knowledge of IT systems and a real intent would be necessary to pursue that course of action. The guidance therefore calls on organisations processing personal data to consider if the content of the communication warrants a more secure method of transmission. It highlights that there are other technical measures available to organisations to send secure communications. The guidance specifically mentions providers such as Google and Microsoft, but there are many other secure mail providers, one of which commonly used by educational institutions and local authorities being Egress.  

To highlight the issue for which the guidance is seeking to address, the ICO provides an example of a case which it determined a formal reprimand was necessary. A communication with details of a meeting was forwarded to a group of NHS patients by naming them on the CC and not the BCC line. The communication was linked to HIV services. The 37 e-mail addresses visible allowed others to possibly identify the named recipients with an inference that they were accessing HIV services, constituting special category personal data. The breach could rightly cause damage and/or distress to those named. Whilst it was policy to send such communication on the BCC line, the ICO determined that this was actually not the most appropriate way to communicate with this group in any event. 

This guidance highlights the issue which all controllers of data face, particularly including those of an educational nature, due to the large amounts of sensitive information which needs to be communicated from time to time. Bulk communications can be sent to groups of parents for pupils who have special educational needs, or who are receiving an enhanced transition from primary to secondary school.  It also brings back to focus the need to refresh and keep updated on recognising the importance of processing data, the risks associated with communicating with others and the potential for personal data breaches to arise which need to be reported to the ICO.  

As we look to commence a new academic year, it is important that those responsible for data protection compliance consider the means available to send communications and to revisit with all staff the importance of ensuring policies are observed, appropriate resources are used and advice is sought before a potential breach scenario arises. Educational establishments should carefully consider their current practice and use this as an opportunity to audit and make changes to respond to the ICO’s regulatory position on the matter.

We are experienced in providing practical advice to education clients on meeting data protection compliance. Should you have any queries please do not hesitate to get in contact for support.