To cc or bcc: that’s the £10,000 question 

Image Credit: 
12 January, 2022

Who hasn’t pasted email addresses into the wrong box before sending? If you’ve ever made this all too human error, here’s news about an upcoming opportunity to get to grips with UK Data Protection Law.  

Under current legislation, organisations responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure the information they hold about people  is secure. Are you confident in your understanding of the UK data protection laws? If not, it might be time to brush-up on your knowledge to help protect your organisation from potential breaches. 

The Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, has issued substantial fines to several charities over recent years. 

Following one investigation which resulted in a fine of £10,000, the ICO urged organisations to revisit their bulk email practices. The charity involved breached data protection law by sending an email containing sensitive information about individuals' health status with all email addresses visible to recipients. The investigation found shortcomings in the charity’s email procedures including inadequate staff training and an inadequate data protection policy. 

In another case, a charity was fined £25,000 for failing to keep personal data of service users secure. The ICO found that the organisation held sensitive information with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data, as mental and physical health and sexual orientation were exposed. 

The ICO’s investigation concluded that the charity should have applied restricted access to the data and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. The ICO found the charity in question had a negligent approach towards data protection with inadequate policies and a lack of training for staff.  In both of these cases the data breaches could easily have been prevented had simple risk management measures been applied and staff adequately trained. 

Help to protect your service users and your organisation by improving your understanding of UK data protection law by attending our upcoming training opportunity. In association with LawWorks and Shelley Thomas, an experienced data protection lawyer and in-house solicitor at Bank of America, on Monday 24th January 1pm-2pm, Voscur is hosting a data protection webinar. Shelley will go over the basics of data protection law, the dos and dont's, and practical steps to take if there has been a data breach. 

To register your attendance, click here