Back to News

The ICO has just issued a reprimand to NHS Highland for a serious breach of trust arising from failure to use BCC when emailing potential users of a service.

The facts relate to contact with HIV service users of NHS Highland. The email sent by NHS Highland accidentally used CC instead of BCC when emailing a group of 37 HIV service users. It meant that each recipient could see all the other email addresses of people contacted regarding the service.


One recipient confirmed that they were able to identify four people known to them via the email addresses. Failure to use BCC correctly when sending group emails is consistently in the top 10 non-cyber breaches, with around 1,000 reports to the UK ICO since 2019, it is also one of the most easily avoided breaches.


Head of Commercial Helen Brain says:


“Organisations must ensure they have appropriate technical and organisational measures in place to keep personal data secure and ensure that it is not disclosed inappropriately or accidentally to others. Taking the NHS Highland email breach as an example; while human error can and does occur, with the right technical measures in place this breach may have been avoided and the risk of a breach with potentially serious consequences for the data subjects could have been mitigated.”


Ways we can help

Fearlessly Solving

Watch the film

What our clients say

It is important to have a strong and trusted team of professional advisers. That is why I use Square One Law.

Peter Stephenson, Executive Chairman, Able UK,

The Square One Law team are excellent. They always provide us not only with rapid, detailed and most of all, cost effective guidance but also advice that is very commercial.

Trevor Silver, Chairman, Landid,

We’ve worked with Square One Law across our business from the start. They understand our proposition and can deliver in terms of us achieving quick turnaround times for our customer base, which will promote new benchmarks for the industry.

Stephen Pratt, Head of Originations, Atom Bank,
Able UK – Corporate
Landid – Property
Atom Bank – Corporate