The Government has announced that the Information Commissioners Office has been notified of a data breach by the Homes and Communities Agency.
Whilst the breach itself is limited and does not include sensitive data, it is a good signpost for organisations and business as to the level of data breaches that need to be disclosed to the iCO.
The Homes and Communities Agency has offered an apology for the breach and is reassuring people that there is no need for concern but as their data security policy has been breached the incident has been reported.
What is perhaps more interesting to many organisations is what has actually happened.
Apparently an email was sent to 508 Housing Associations and the other recipients’ email addresses were visible to each recipient.
The fact that this constitutes a notifiable breach may be something of a surprise to many readers as anybody who receives email on a regular basis will know that sending an email utilising “CC” rather than “BCC” is a common mistake but in truth someone’s email address is data that can personally identify them.
Clearly organisations need a clear policy for group mailings but in truth it is far safer to make electronic mailings on a one-off basis to each recipient individually.
The need for this level of security and care is not new but it is something that certainly may draw more attention under GDPR.