Yesterday, Rachel Cunliffe, Associate Political Editor of the New Statesman, reported that she had received an email from the Conservative Campaign Headquarters (CCHQ) about their forthcoming conference. However she could also see the other 344 recipients as they were all listed in the “To” box, along with their email addresses. CCHQ had made the classic mistake of failing to use blind carbon copy (BCC) and thus, by exposing the personal data of recipients, breached the UK GDPR.
Failure to use BCC correctly in emails is one of the top data breaches reported to the ICO every year. But this incident is not just about exposing some email addresses. Recipients of the CCHQ email will be able to make assumptions about the political affiliations of their fellow recipients. Even if these assumptions are wrong, the emails can be classed as Special Category Data under the UK GDPR and thus more sensitive than other personal data.
So can the CCHQ expect a knock on the door from the ICO? Will they be fined? Whatever your political persuasion, you may think this error from those who run the Government, deserves the strongest sanction. As Cunliffe writes:
“If you can’t trust the Conservatives with your email address, why should you trust them with anything else.”
Inadvertent disclosure of personal data email, by failing to use BCC, has been the subject of a number of GDPR enforcement actions by the ICO in the past few years. Just last December, the Ministry of Defence (MoD) was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. In October 2021, HIV Scotland was issued with a £10,000 fine when it sent an email to 105 people which included patient advocates representing people living with HIV. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk; also Special Category Data.
The ICO could follow the above examples and issue a fine; although in two recent cases it has gone for a softer option. Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in the same way.
In statement issued on X, the ICO said:
“The Conservative Party has made us aware of this incident and we are assessing the information provided.”
The Conservative Party has form when it comes to GDPR non-compliance.
Recently we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from users of its online tax calculator. But this latest data breach is about more than GDPR compliance. To quote Rachel Cunliffe again:
“This is such a basic error, so easily avoided, it inevitably sets alarm bells ringing. If CCHQ doesn’t have the staff and training procedures to prevent a classic email-sharing error, what does that say about their resilience as a whole? How are their cybersecurity defences? What else is getting missed?”
The breach came on the day Rishi Sunak gave a speech to the Policy Exchange about the power of technology and how he, rather than Keir Starmer, could keep us safe. You can watch Sunak’s speech here although we prefer comedian Matt Green’s brilliant satirical take on it here.
We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.
