Dangers of the “CC” – charity fined for data breach

The British privacy regulator, the Information Commissioner’s Office (ICO), has fined charity HIV Scotland £10,000 for a data breach. This data breach was notified to the British regulator under a similar scheme to the Australian Notifiable Data Breach scheme introduced in 2017.

The data breach was caused by an email sent to 105 people in February 2020 using the carbon copy (CC) function instead of blind carbon copy (BCC). This meant the email addresses were visible to all recipients.

Because email addresses often identify people’s names, this data breach identified 65 people by name. Due to the nature of the email and the charity – HIV Scotland – the breach could also have led to assumptions about people’s HIV status or risk. This is understandably very private information, and in Australia, would be classified as health and sensitive information under the Privacy Act 1988 (Cth).

Email risks for vaccination information

A similar risk in the current environment is around COVID-19 vaccination status. Organisations need to be particularly aware of the dangers of collecting sensitive information via email. For example:

  • Email is not the most secure collection method. Instead, consider collecting vaccination information in another manner.
  • Emails can be easily forwarded, leading to unauthorised disclosures and data breaches.
  • You will likely be saving the vaccination information elsewhere in your records, but the information will remain in an inbox. Consider deleting emails once information is collected.

Also remember, when replying to emails, the personal information that could be disclosed below in the email chain.

Human error data breaches in Australia

The danger of the CC is present for Australian organisations too. Between January and June 2021, the Office of the Australian Information Commissioner (OAIC) reported:

  • 30% of data breaches were caused by human error;
  • 8% of human error breaches were from failing to use BCC; and
  • 40 of human error breaches were caused by emailing personal information to the wrong recipient.

See the OAIC’s report for more information about Australian data breaches.

How to protect your organisation from email related data breaches

We recommend you:

  • implement staff privacy and refresher training;
  • establish set methods of sending bulk emails by BCC; and
  • have a privacy policy that staff are familiar with, and preferably internal procedures and fact sheets to inspire best practice.

In response to this data breach, the ICO is encouraging all organisations to revisit their bulk email policies to ensure they have robust procedures in place. This is particularly relevant for charities and not-for-profit organisations for whom personal information (such as contact details) is central to the very nature of their work.

How we can help

We can help you prepare for data breaches through privacy training, privacy audits and designing custom privacy and data protection procedures and internal tools for staff.

We can help you respond to a data breach by assessing the breach under the Notifiable Data Breach Scheme, and helping you implement a Data Breach Response Plan.

Please contact us for further assistance.