Over the summer, the Information Commissioner’s Office (ICO) issued two warnings, guidance, and a joint statement relating to two different ways that organisational data can be shared with unauthorised parties. The first relates to the use of blind carbon copy (BCC) and the second to data scraping from social media websites.
Under data protection laws, organisations must put in place appropriate technical and organisational measures to protect personal data from breaches of confidentiality. The ICO warnings gave a bit more information about what regulators expect to see.
What is the function of blind carbon copy in emails?
BCC is a field used to send emails to people without other recipients knowing who received the message. It has been recommended for a long time where people want to send information to small numbers of people without disclosing the email addresses of the other recipients. For example, an organisation might send an event invitation using BCC because the invitees don’t know each other and haven’t given permission for their direct email addresses to be shared with each other.
However, BCC is risky. The ICO says that BCC errors are consistently in its top 10 non-cyber breaches, and it has received over 1000 reports of BCC issues since 2019. As well as sharing direct contact details without permission, mistakes like this can tell recipients sensitive information about each other that they would not want to share. One example of a BCC failing involved individuals likely to be receiving HIV treatment – the sort of information most people would want to be able to control sharing.
The ICO has issued new guidance and particularly asks organisations to consider whether BCC is the right option, or whether alternatives like using specialist email software or simply sending individual copies of emails might be better.
What is data scraping?
Data scraping is a process where automated software takes information from websites. In the case of social media, the tools typically collect public social media posts to use for their own purposes. This has become more widely known recently due to the activities of companies like OpenAI, the creators ChatGPT, and Clearview AI, who make facial recognition software. Both companies trained their tools using information they scraped from websites.
The ICO has issued a joint statement alongside 11 other regulators from around the world telling social media websites that they need to do more to stop these tools from working. Interestingly, the joint statement doesn’t specifically refer to data collection by AI providers, but it does list several risks to individuals including the use of scraped data for cybercrime, unwanted marketing and surveilling individuals.
It notes that mass data scraping is likely to be a reportable data breach in many jurisdictions and makes it clear that in many countries, data does not count as ‘publicly accessible’ – and therefore fair game – just because it is published on a website. While the joint statement is particularly aimed at social media organisations, any organisation that hosts personal data on a website would be well advised to consider how it prevents data scraping, and how it would identify and respond to such an attack if it took place.
The ICO warnings about the unauthorised release of data are a reminder that organisations need to be careful with how they handle personal data. Organisations need to have appropriate safeguards in place to protect personal data from unauthorised access, use or disclosure.
