Broadcast: News items
Data breach in the news – a ‘real life’ reminder of correct use of ‘cc’ and ‘bcc’ in emails
By: Greg Toth
Last updated: Tuesday, 5 March 2024

The UK Information Commissioner’s Office has fined the Ministry of Defence after the public authority sent emails using the “To” field rather than the “Bcc” field. 265 unique email addresses were disclosed in breach of GDPR Article 5(1)(f). The MOD was fined £350,000.
The majority of the University’s reported personal data breaches result from the use of emails. As this is our most commonly used form of communication at the University, the Information Management team have published guidance on their webpages to help highlight and eliminate some of the risks arising from the use of emails. Please do take the time to familiarise yourself with this.
The ‘bcc’ function will ensure that the email addresses and names of the individuals you are contacting are not visible to other recipients. If the ‘bcc’ field does not appear as default in your email, this can be added via the options tab within an email – instructions, including a screenshot, of how to do this can be found in the guidance linked above.
As a general rule, the ‘bcc’ function should be used in cases where recipients are unlikely to know each other, in most cases where personal or external email addresses are involved, or where the email content may reveal further personal data about the individuals included which is not general knowledge.
Using ‘bcc’ provides an extra degree of privacy and security, and avoids the risk of revealing personal data to those who should not have it or do not need it, which may amount to a personal data breach.
If you have any questions or need further advice, please see below for some additional resources:
- Read Data Protection Email Guidance issued by the Information Management team
- Read Guidance for using Distribution Lists and Discussion Groups issued by IT Services
- Find out how to report a personal data breach
Contact the Information Management team for further support and advice.
Further information: https://www.sussex.ac.uk/ogs/policies/information/dpa/dp-email-guidance