Failure to use ‘bcc’ field in emails costs hospital £180,000


A clinic within Chelsea and Westminster Hospital NHS Foundation Trust, (‘the Trust’), treated patients with HIV. These patients were able to receive results and make appointments/enquiries by e-mail. The clinic also used email to send newsletters to those patients and some other patients who didn’t have HIV.

The clinic sent a newsletter to 781 patients. All the e-mail addresses were entered into the ‘to’ field instead of the ‘bcc’ field as a result of which all the recipients of the e-mail could see the e-mail addresses of all the other recipients.

This was not the first time this had happened and although the Trust had put in place some measures intended to stop it happening again, such measures did not include specific training to remind staff to double check that e-mail addresses were entered into the correct field.


The Trust failed to take appropriate technical and organisational measures against unauthorised processing of personal data in contravention of the seventh data protection principle of the DPA.

In other words, these errors amounted to data security breaches, which meant that the Trust was in breach of the DPA.


The ICO was satisfied that the data security breach was serious because:

  • Of the number of affected individuals (781)
  • The e-mail contained confidential and sensitive personal data
  • The Trust served a small geographical area, increasing the possibility that the affected individuals knew one another
  • E-mail addresses can be searched via social networks and search engines
  • Distress could be caused to those who discovered that their names have been disclosed to unauthorised recipients even if those concerns did not actually materialise.


The ICO decided that the Trust:

  • Must have been aware that there was a risk that staff working in the clinic could enter the group e-mail addresses into the wrong field, (particularly as there had been an earlier data security breach of a similar nature)
  • Knew or reasonably ought to have known that such a data security breach was likely to cause substantial distress.
  • Failed to take reasonable steps to prevent the data security breach.

The Trust was £180,000.


The error the Trust committed – sending a large number of emails via the ‘to’ field, rather than the ‘bcc’ field is – is probably one that many organisations commit and is obviously something that can be easily done.

However, this case shows, that’s no excuse, (and certainly no defence) especially when it’s happened before and is avoidable.

This case demonstrates, yet again, that the ICO expects organisations to provide effective and relevant staff training about data protection. This means training that is focused and presented in a way that is memorable.


Datahelp believes that excellent training is the outcome of mixing good material with great teaching. This means the course content must be accurate, relevant to the audience and presented so as to engage the audience to understand, care, and remember.


This article is intended for informational purposes only and should not be relied upon as legal advice.


We believe that data protection is about protecting people  and that the four elements of data protection are trust, transparency, privacy and security

If you agree and like this page please feel free to share it on Linked In, Twitter and Facebook

To contact us call 07902 395989 or use our contact form

Leave a Reply

Your email address will not be published. Required fields are marked *