To B(CC) or Not To B(CC)
We send emails every day, a lot of them, from quick notes to colleagues to ask them to send over a document, to formal reports to government departments and key stakeholders. Email is an integral part of our working lives, not mention our personal lives. It's also a source of a number of weaknesses and vulnerability in information security and data protection.
One of the easiest things to get wrong in email is in the addressing, and there's a few things that go awry: for example when Outlook suggest recipients as you're typing a name into the "To" field, it's easy to pick the wrong recipient from three or four similar names. The biggest risk, however, is when you're sending out an email to a group of people, and when you choose whether to add them all in the "To" field as primary recipients, or whether to CC or to BCC the recipients.
The terms CC and BCC date back to typewriters, and sending out paper letters.
CC stands for Carbon Copy; a sheet of carbon paper was put between two plain sheets of paper as the letter was typed, giving two copies of the letter. Both letters would be marked "CC" and the name of the person who was to receive the copy would be written at the bottom under the sender's signature.
BCC stands for Blind Carbon Copy, where the original letter was not marked to show a copy had been made, and didn't show the name of the person who was to receive the copy.
So which do we use in our emails; "To", CC or BCC?
To
If you're sending an email to people who already know each other, or who need to know each other, and who will need to participate in the email conversation, it's fine to add them all as primary recipients in the "To" field. This could be an email round to colleagues and partners in other organisations who are all working on the same project, or colleagues in different teams who are working on a report.
CC
If you're sending an email to people who know each other, or who need to know that other people have seen the email, and who might need to contact each other, you can safely use CC. This could be an email to a government department that needs to be copied to a colleague or manager for their later reference.
BCC
If you're sending an email to people who don't know each other, and have no identifiable need to have each others details, then you should always use BCC or an alternative mailing option. This could be an email to a group of customers about an event, or an email to people who have registered an interest in a product or service.
It's important to keep data protection mind when sending emails and to use the CC and BCC functions carefully, and where appropriate use ways of sending out emails to groups that are designed to protect the individuals' personal data, for example, platforms that are designed for managing mailing lists.
If in doubt, speak to a Data Protection specialist.
Recent cases
In March 2023, the ICO formally reprimanded NHS Highland.
A department within NHS Highland had sent out an email to 37 people, inviting them to a meeting about HIV services.
When sending the email, the department had used the CC field, and NOT the BCC field for the recipient emails, allowing each recipient to see all other recipient email addresses. Most emails included name+surname as part of the email address, allowing some recipients to be directly identified.
The ICO would ordinarily have issued a fine of £35,000 for such a breach of data protection, but has recently been operating under new guidance regarding fines in the public sector, and chose to formally reprimand NHS Highland instead, requiring them to make specific changes to their procedures and demonstrate compliance data protection legislation.
ICO link:
https://ico.org.uk/action-weve-taken/enforcement/nhs-highland/