To BCC or not to BCC – that is the question data watchdog wants answered

The dos and don'ts of bulk emailing

A data regulator has reminded companies they need to take care while writing emails to avoid unintentionally blurting out personal data.

Unsurprisingly, much of the UK's Information Commissioner's Office (ICO) guidance comes down to the correct use of address fields for recipients and considering the content of an email before hitting the bulk send button.

The ICO warned companies that staff need training on how to properly use the Carbon Copy (CC) and Blind Carbon Copy (BCC) fields.

The watchdog said it had "seen hundreds of personal data breach reports where a sender has misused the 'BCC' field."


Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder


The misuse ranges from simply forgetting to use the BCC field to placing confidential information in emails that aren't encrypted and can be viewed as they flow through servers on their way to their destination.

As a reminder for any Reg readers living under rocks, using the "BCC" field means that recipients cannot see each other's email addresses - useful for a bulk email with a large mailing list. "CC" means the email addresses can be seen, which can be useful in ensuring a recipient is aware of who else is getting the same email.

The ICO cited two case studies where the "To" or "CC" fields were used erroneously instead of "BCC." In the first, an NHS Trust manually copied patients' email addresses and pasted them into the "To" field to send a bulk email about an art competition. While the email didn't contain confidential information, the presence of all those email addresses in the "cc" field meant recipients could identify active patients of the trust. The health body was fined for the error.

In the second case study a charity performed an incomplete migration to a secure email platform. While they waited for the job to complete, emails still needed to be sent. For one of these emails, a staff member erroneously added addresses to the "CC" field manually. Email addresses were, therefore, visible to all recipients. The email was an agenda for an event and was sent to 105 members of an HIV advisory board.

The ICO noted: "65 of the 105 email addresses clearly identified recipients, with two recipients contacting the charity to highlight the incident."

Email is decades old, and it is unsettling that people are still making errors in this way. Hence the ICO's reminder that organizations need to be aware of best practices and take a risk-based approach to email.

As well as ensuring everyone understands the difference between "CC" and "BCC," the ICO recommends rules in email systems to warn when "CC" is being used, and to add some delay in sending emails to give staff time to correct errors before a message is sent. The watchdog also advised that people should turn off those annoying seemingly helpful autocomplete functions that might result in an unexpected email address being used.

The ICO also issued a reminder that email might not be the best transfer method, even if using "BCC." It noted that even if a third-party provider is being used to send emails on behalf of an organization, the organization's own requirements must be followed.

"Email," said the ICO, "has increasingly become the default choice for efficiently sharing information, but this doesn’t always make it the best choice." ®

More about


Send us news

Other stories you might like