To BCC or not to BCC

The recent – and well publicised – data breach by the 56 Dean Street clinic in London raised a number of interesting data protection issues. The well-rehearsed line of “it was human error” was put forward to explain the breach…but who committed the error: the person who pressed ‘send’…or the senior management who appear to have permitted the use of a normal email system to distribute the newsletter? This blog will argue it was the latter…

Everyone knows how easy it is to accidently send an email to the wrong person…

…and that emails contained in the “cc” box will be seen by all recipients…

…and those in the “bcc” box will not…

…and that human error might lead to someone accidently using the cc box instead of the bcc box to distribute a message.

In many contexts, the impact of such an error would be minimal – the accidental disclosure of the email distribution list might enable those on the list to contact each other, or you might enable someone to learn that a friend, family member or colleagues also receives that newsletter (because you recognise their email address). This might generate mild interest or embarrassment…

But this list was associated with an HIV clinic – which meant just the one field of data (email address) actually told you that others on the list had an association with the clinic…and potentially meant, in some cases, the previously confidential HIV status of an individual was being disclosed to others on the list. The media are reporting the real life impact of the breach:

I am not ready to disclose my HIV status to my wider friends or family. I fear now that I have no choice…

This breach therefore has echoes of the £200,000 fine for the British Pregnancy Advisory Service – where the basic contact information of women, when associated with the BPAS, meant you would learn something very sensitive about them (i.e. they had sought advice on contraception and/or abortion). As the ICO noted,

Some of the…details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker.”

 

With these issues in mind, it makes you ask: did anybody at the clinic consider

  • the potential impact on the 780 people should such a breach occur?
  • the likelihood of such an error occurring (i.e. of accidentally putting the emails into a normal email cc box instead of the bcc box)?
  • whether the impact and likelihood might justify (or require) the use of a more secure, less risky means of distributing the newsletter?

This is not just hindsight or wishful thinking – the Data Protection Act requires such considerations: tucked away at the back (paragraph 9 of Part II of Schedule 1 for those itching to take a look) is a requirement to weigh up the technology available to you; the cost of implementing the measures; the nature of information involved and the harm that might result from a breach – and reach a conclusion on what you believe is an appropriate set of security measures.

  • state of technological development” – i.e. what solutions are out on the market? Are there common, accessible standards? What’s the industry leader?
  • cost of implementing any measures” – i.e. you can take account of the cost; one size does not fit all.
  • Harm that might result from” – i.e. think proactively…rather than wait for a breach to happen.
  • nature of the data to be protected” – i.e. you can and should apply more protection to more sensitive personal information.

The question all Data Controllers face is: when ‘human error’ happens (because it will) in relation to the risks that you “knew or ought to have known” could cause “substantial distress” to individuals, are you able to prove you took “reasonable steps” to reduce the risk? Again, this is not hindsight or wishful thinking – this is the criteria defined by Section 55A of the DPA for deciding whether a £500,000 fine is justified.

Giving those at the coal face a set of clear policies and procedures, and training, is a good start: Can you, for example, produce records demonstrating that staff have received training and recognise the sensitivity of the email addresses; that the process for distributing the newsletter was documented (and so consistent and repeatable), and had someone double check the email before the “send” button was pressed? Such organisational measures may have helped reduced the risk of someone accidentally using the cc box…

But there remains the question whether a more secure means of distributing the newsletter was considered – and if not, why not, given the circumstances (the sensitivity, the potential impact; the available technical solutions and their relative cost); if so, why was it turned down?

Such matters are more strategic and for more senior management to answer; if they have been considered, you can at least debate their merits with the ICO…if not, then the ‘human error’ is at the senior management level rather than the coal face…

Protecture are offering charities a free review of their approach to data protection. Please click here for more detail, call 0203 691 5731 or help@protecture.org.uk