Watch Your Bulk Emails: Inadvertent Email Data Breaches Are Significant
Sending emails in the course of business is par for the course, but an inadvertent error can have unintended but serious implications. A recent case serves as a timely reminder for businesses to ensure their email and other digital communication processes are efficient and effective to avoid data protection breaches – particularly if there are multiple recipients.
The Information Commissioner’s Office (ICO) has also just published new guidance on data protection fines.
Lives risked
Earlier this year, the Ministry of Defence was fined £350,000 by the ICO after emails to multiple addresses unintentionally put the lives of 245 vulnerable people seeking to relocate from Afghanistan at risk.
As a result of human error, emails were inadvertently sent to those individuals using the ‘To’ field rather than the ‘Bcc’ field – meaning that all individual email addresses were visible to all the recipients.
The disclosure of those unique email addresses breached the General Data Protection Regulation (GDPR) Article 5(1)(f).
The MOD reported the breach to the ICO. An internal report on the breach acknowledged that it was a significant breach and that if the data fell “into the wrong hands, either the Taliban or criminal organisations, it could almost certainly be exploited…” Fortunately, there was no evidence that the data had fallen into the wrong hands.
The ICO found that the MOD was negligent in failing to maintain appropriate security of personal data in light of the specific security risks. The MOD’s email-use policy, for instance, lacked any advice about the potential risks of recipients being able to see other recipients; and it was apparent there was a lack of express staff training or advice on the use of ‘Bcc’.
The Commissioner found that the infringement was sufficiently serious to warrant a significant penalty. He took £700,000 as a starting point and reduced it by half to reflect that the MOD is a public body.
Guidance on fines
The ICO says its new guidance gives businesses and other organisations greater transparency and clarity on how it decides on issuing penalties and calculating fines.
It explains the relevant legal framework, the ICO’s methodology to calculate fines and its approach to key questions, for instance identifying the wider ‘undertaking’ or economic entity of which the controller or processor forms part; and
It makes clear that where a data controller or processor forms part of an undertaking, eg as a subsidiary of a parent company, the maximum fine will be calculated based on the turnover of the undertaking as a whole. The guidance clarifies that ‘undertaking’ for these purposes should be understood in accordance with UK competition law.
Where more than one provision of the GDPR is infringed in the same or ‘linked’ conduct, the total fine will not exceed the amount specified for the gravest infringement.
On the other hand, if separate infringements arise from separate conduct - the Commissioner may decide to include the separate infringements in the same penalty notice. However, the fine imposed for each infringement would be subject to the relevant statutory maximum amount for each infringement The new guidance applies to new cases from 18 March, as well as ongoing cases for which no notice of intent to impose a fine has yet been issued.
If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be