The Irish Data Protection Commission (DPC) has issued a timely reminder to all organisations, especially as a lot of staff are still working from home. This is in relation to one of the most common personal data breaches, which involves emails sent to the wrong person or group because of human error. The DPC made it clear that unintended email disclosures, depending on the content, can result in a risk to the rights and freedoms of the persons affected and that you can be required by law to notify the DPC.

 Common errors recently encountered by the DPC

Below are some examples of common errors recently encountered by the DPC:

• Email sent to incorrect recipient due to human error.

• Email sent to incorrect recipient due to the message service predicting the recipients email address based on the first characters entered.

• Attaching an incorrect document or hyperlink to an email.

• Forwarding an email chain to an unintended/unauthorised recipient.

• Email sent to multiple recipients using the ‘To’ or ‘Cc’ fields instead of the ‘Bcc’ field.

 Recommendations

• Ensure the appropriate recipient has been selected before sending an email.

• Ensure the appropriate attachments have been selected before sending an email.

 When is it appropriate to use Blind Carbon Copy (BCC)?

• Bcc – Enables you to send an email to multiple recipients without revealing the email addresses of others contained within the recipient list.

• Cc – Allows everyone who receives the email to see the email addresses of all other recipients.

Recommendation

·      If as an organisation you need to send an email to multiple recipients where it is necessary to keep all recipients email addresses private, the ‘Bcc’ field should be utilised.

In addition to the above, using 'To' or 'Cc' allows recipients to 'Reply all' which presents further risks to disclose additional, possibly sensitive, personal information by the recipients themselves. Risks they would not have been subject to if the 'Bcc' function was used. 

If an email is sent to an incorrect/unauthorised recipient, it is recommended that the organisation should immediately ‘Bcc’ a follow up email to the affected data subjects apologising, instructing that the offending email should be deleted, and advising recipients that they do not have the right to further use the email addresses identified to them.

If you determine that there will be a risk, regardless of severity (Low, Medium, High, Severe) to the person(s) effected as the result of such instances then you are required to notify the DPC under the provisions of Article 33(1), of GDPR using the DPC’s online breach notice form see link here, with 72 hours of becoming aware of it.