Email-related data breaches are among the most common reported breaches in the HSE. These breaches mainly happen due to human error. Although this is a simple mistake and can be easily avoided, it poses a great risk to the protection of personal data.
Examples of email errors:
- to the wrong person due to human error
- to the wrong person due to the email system predicting the email address from the first letters entered and the sender selecting the incorrect recipient
- with the wrong attachment
- to a person using the ‘To’ or ‘CC’ field instead of the ‘BCC’ field
Tips to avoid email errors
- Double check email addresses and attachments before you hit send
- Double check there is no personal data in the subject line
- Always use the ‘BCC’ function for large group emails and when there is personal data involved
- Think before you hit the ‘Reply All’ function when there is personal data involved
- Avoid using email for sharing sensitive data and large quantities of personal data. Contact the National Service Desk to see what options are available
- Follow the HSE Electronic Communications Policy for using email at work
CC and BCC in emails
You can use CC and BCC to include people as recipients of your email.
CC is an abbreviation for carbon copy (in reference to historically placing carbon paper between the paper you were writing and the paper to be your copy).
BCC is an abbreviation for blind carbon copy.
When CC is used, the email recipient can see a list of other email recipients. When BCC is used, the recipient cannot see that someone else has been sent a copy of the email.
When to use CC and BCC
- CC allows you to send an email to multiple people where you can see their email addresses
- CC allows you to use the ‘Reply All’ function so those who received the email can share comments and attachments to all recipients of the email
You should always use CC when you don’t have to protect a person's email address and would like to provide the ‘Reply All’ option
- BCC allows you to send an email to multiple people who cannot see who else is receiving the email or their email addresses
- BCC does not allow people to use the ‘Reply All’ function, so those who received the email can’t share comments and attachments to all
You should always use BCC for large group emails and when you have to protect the email addresses of recipients and prevent the use of the ‘Reply All’ option
If you're in doubt or know a data breach occurred
If you’re in doubt or know a data breach has occurred, ask for help from your line manager and your local data protection officer
If you send an email to the wrong person, send a follow-up email with an apology and requesting confirmation that the email is deleted from the ‘deleted items’ folder. Ask that the email will not be used or shared further.
To help you avoid making an email-related data breach watch this short video
Know your HSE Email responsibilities
HSE employees must read and follow the appropriate storage and transmission of internal and external email, see Information Classification Handling Policy
HSE employees must read and follow acceptable use of HSE’s email, see Electronic Communications Policy
To assess and refresh your knowledge on the correct use of HSE email, complete 'Good Information Practices' and 'Fundamentals of GDPR' training on HSeLanD