Incorrectly copying people into emails could get you fined under new ICO guidelines

Email symbols imposed on a digital themed background
(Image credit: Getty Images)

Organizations across the UK could face fines for inadvertently copying people into email chains under new guidelines published by the country’s data regulator.

The Information Commissioner’s Office (ICO) has advised businesses to “use alternatives” to the blind carbon copy (BCC) function when sending bulk emails that contain potentially sensitive information.

The warning from the regulator coincides with the publication of new guidance detailing how organizations can improve data protection practices relating to email communications.

Best practice advice from the ICO suggests that organizations using “large amounts of data” should consider using alternative means to the BCC function to prevent exposure of personal information.

The guidance also recommends improving training regimes for staff to cultivate a stronger understanding of data protection regulations and their application in email communications.

Mihaela Jembei, ICO director of regulatory cyber, said the new guidelines will provide organizations with a clear-cut framework for best practices, and warned that those found to be operating negligently could be reprimanded.

“This new guidance is part of our commitment to help organizations get email security right,” she said.

“However, where we see negligent behavior that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”

Responding to recent data breaches

The new guidance comes in direct response to a slew of data breaches related to email communications, which the regulator described as a “catalog of business blunders”.

An investigation into the issue from the ICO found that incorrect use of the BCC function is frequently in the top 10 of non-cyber-related breaches, with nearly 1,000 incidents reported since 2019.

“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year,” Jembei said. “These breaches can cause real harm, especially where sensitive personal information is involved.


IBM whitepaper Definitive guide to ransomware 2023

(Image credit: IBM)

Definitive guide to ransomware 2023

This document provides guidance on what organizations should do before, during, and after a ransomware attack. 


“While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organizations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers."

Failures were found to be a recurring theme across a range of industries, with organizations in the education sector, healthcare, local government, and retail among the most frequently reported for email-related issues.

The regulator has taken a tougher stance on email-linked data breaches in recent years. In 2022 the Tavistock and Portman NHS Trust was fined £78,400 for exposing the email addresses of over 1,700 gender identity patients.

More recently, it reprimanded two Northern Ireland-based organizations for wrongly disclosing people’s information in an email chain. The ICO also issued a reprimand to NHS Highland in March after data belonging to people accessing HIV services was exposed.

The regulator described the incident as a “serious breach of trust” that put users of the service at risk.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.