Broadcast: News items

Avoiding personal data breaches – an important reminder about the use of ‘cc’ and ‘bcc’ in emails

The majority of the University’s reported personal data breaches result from the use of emails. As this is our most commonly used form of communication at the University, the Information Management team have published guidance on their webpages to help highlight and eliminate some of the risks arising from the use of emails. Please do take the time to familiarise yourself with this.

In particular, there has been a recent increase in the number of breaches resulting from the use of the ‘cc’ (copy) function; as such, it is important to understand when the use of this function is appropriate and when the ‘bcc’ (blind copy) function should be relied upon instead.

The ‘bcc’ function will ensure that the email addresses and names of the individuals you are contacting are not visible to other recipients. If the ‘bcc’ field does not appear as default in your email, this can be added via the options tab within an email – instructions, including a screenshot, of how to do this can be found in the guidance linked above.

As a general rule, the ‘bcc’ function should be used in cases where recipients are unlikely to know each other, in most cases where personal or external email addresses are involved, or where the email content may reveal further personal data about the individuals included which is not general knowledge.

It may be appropriate to use the ‘cc’ function for: 

• An email conversation on a particular matter between specific colleagues who are part of a team or working group; or
• A small group of students who are in a seminar group together and already know each other.

 However, blind copy (or ‘bcc’) should generally be used for larger groups and/or more sensitive emails – for example: 

• When emailing all students on a course or in a particular year, or a large group of students who attend a lecture, i.e. in cases where the recipients are not likely to all know each other by name; or
• When emailing staff who are part of a network or membership group but are not necessarily known to each other.

Using ‘bcc’ provides an extra degree of privacy and security, and avoids the risk of revealing personal data to those who should not have it or do not need it, which may amount to a personal data breach.

If you have any questions or need further advice, please see below for some additional resources: 

• Read Data Protection Email Guidance issued by the Information Management team
• Read Guidance for using Distribution Lists and Discussion Groups issued by IT Services
• Find out how to report a personal data breach
• Contact the Information Management team for further support and advice

Further information: https://www.sussex.ac.uk/ogs/policies/information/dpa/dp-email-guidance