The ICO’s new email security guidance - September 2023

The ICO has said they’ve ‘seen hundreds of personal data breach reports where a sender has misused the ‘bcc’ field’. In a move to prevent this common cause of data security breaches, the ICO has recently issued guidance on emails and security.

ICO data for 2022 shows that the ‘Health’ sector is where most breaches occurred (20% of all reported data security breaches). ‘Education and childcare’ is next in the league table (15%), with the ‘Charitable and voluntary’ sector accounting for 6% of reported data security breaches.

‘Failure to use the bcc field’ and ‘emailing data to the wrong recipient’ combine to be the cause of 21% of reported data breaches. The ICO’s guidance seeks to address this by outlining legislative requirements and how organisations should go about effectively complying with the law.

The guidance covers a range of measures, including:

• How to identify when information constitutes personal information;
• The importance of training staff on the use of cc and bcc when using emails;
• Alternatives to the use of cc and bcc;
• Security measures that should be used;
• Should the worst happen, how to go about reporting breaches to the ICO.

The ICO’s guidance also provides two real-life examples of organisations (the NHS and an unnamed charity) that were in breach of their obligations in relation to email security. Tellingly, both organisations were fined by the ICO for their failings.