We don’t always mean to breach general data protection regulations (GDPR). But simple mistakes can sometimes pose a threat to data security within an organisation.   Our example shows how important it is to be aware of GDPR.

Please read the scenario below and answer the questions that follow. You’ll find the answers at the bottom of the page.

Barry is a Re-engage tea party group coordinator and his role involves planning tea parties and regularly communicating with the older people and volunteers in his group, as well as with staff at Re-engage. Barry uses email to communicate wherever possible. He is aware of the principles of GDPR and is familiar with the charity’s GDPR policy. He is also very mindful of the importance of keeping personal and sensitive data safe, and he always makes sure that he only shares information with those who need to see it.

For Barry, keeping everyone in the loop is key to the smooth running of his tea parties. When Barry wants to share information about a tea party with everyone in his group, he normally includes the email addresses of those who should receive that information in the ‘To’ field in outlook. This way he sends the information  to the relevant people with one click. If he receives a question that may be relevant to only some of the volunteers or older people in the group, Barry replies to the same email and copies in those who should be kept informed about the change by pasting their names in the ‘Cc’ field in outlook. Barry has been using this approach for personal and professional emails for many years.

Questions:

1. Is there anything in Barry’s approach which could potentially lead to a GDPR breach?

a. Yes

b. No

c. Not sure

2. What would you do differently if you were in Barry’s place as a group coordinator?

a. I wouldn’t use email at all.

b. I would email everyone separately.

c. I would use the ‘Bcc’ field rather than  the ‘Cc’ or ‘To’ fields.

d. I would continue communicating in the same way as no one has raised any concerns.

3. What would you do as a volunteer if you had any concerns about the way personal or sensitive data is being handled in your group? (More than one option may apply).

a. I would get in touch with Re-engage and share my concerns.

b. I would speak to the person who is handling the data in an unsafe way.

c. I wouldn’t do anything as everyone is responsible for their own actions.

d. I would speak to my group coordinator and share my concerns.

Answers:

Q1: a

Volunteers use their personal or work email addresses and may include personally identifiable information such as their full name, date of birth, or ID number. By adding email addresses in ‘To’ and ‘Cc’ fields, the email addresses are visible to everyone included in the email and are shared with other recipients without their prior consent. This is a breach of GDPR regulations.

Q2: c

By using Bcc (blind carbon copy) not To or Cc (carbon copy) we send an email to multiple recipients, but we also protect individuals email addresses. This means any given recipient will only see their own and the sender’s email address. The other recipients are anonymised.

Extra caution: be careful with email chains, “reply all” and forwarding emails that may contain personal identifiable information on to those who do not need to and should not have it. If you add additional recipients to an email discussion, remember to check the content of the email beforehand to make sure that it does not contain any sensitive or personal information.

Q3: a and c

Remember the three Rs.

• Recognise.
• Record.
• Report.

If you have any concerns around handling and sharing personal and sensitive information, please discuss this with your group coordinator.  If you know or suspect that a GDPR breach has taken place, please report the information to Re-engage immediately via: knowledge@reengage.org.uk  Re-engage is responsible for keeping personal information safe. We can’t do it without your help.

Before sharing any information, pause and ask yourself this key question.  Does the email include any personal or sensitive information?  If it does, choose the safest way to send it.

Ensure personal information only goes to those who need to have it.  Always use Bcc for sending an email to multiple recipients.

If you have any further questions about GDPR, please take a look at the GDPR training and FAQs on our website.