Skip to main content

Before clicking ‘Send’, check and check again!

Sending an email to the wrong recipient is perhaps one of the most common types of data breach that can occur. One example is erroneously sending a Carbon Copy (‘CC’) email or an email with recipients in the ‘TO’ field instead of a Blind Carbon Copy (‘BCC’) email. This can have serious implications in terms of general confidentiality obligations as well as significant implications in terms of the EU General Data Protection Regulation (‘GDPR’) which came into effect across the EU, including Malta, on 25th May 2018.

This is exactly what happened in February 2017 to the ‘Independent Inquiry into Child Sex Abuse’ (‘IICSA’) when an IICSA staff member sent out a bulk email to ninety (90) possible victims of child sexual abuse participating in the inquiry. Instead of sending an email to the ninety (90) participants by using the ‘BCC’ field (so that the participants would not see each other’s details), the IICSA staff member accidentally used the ‘TO’ field. This revealed the email addresses of all participants to each other. Fifty-two (52) of the emails actually contained the full name of the participant.

This case was dealt with by the ICO (the UK’s equivalent of the Maltese Information and Data Protection Commissioner) under the provisions and maximum penalties of the UK Data Protection Act 1998, and not the new 2018 Act which, as a result of the GDPR, has replaced it, because of the date of the breach. This notwithstanding, on 18th July 2018, the ICO imposed the significant fine of two hundred thousand (200,000) Sterling on the IICSA for causing this data breach. The ICO found, inter alia, that the IICSA failed to make use of an email account that could send separate messages to each participant and also failed to provide its staff with appropriate training and guidance.

The ICO’s director of investigations, Mr. Steve Eckersley said: “This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.”

People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”

With the risk of fines now going up as high as twenty (20) million euros or 4% of an organisation’s worldwide annual turnover, even Maltese data controllers must take extra steps to ensure that staff members are aware of these risks as well as the broader implications of the GDPR. In all cases, before correspondence is sent out, it is crucial (now more than ever) to ensure that the recipient(s) is/are correct and that no personal data or even confidential data are accidentally disclosed to unauthorised entities.

For more information about this specific case, please visit the ICO’s website at

For more information about the GDPR more generally, please visit our microsite at which will continue receiving updates on a regular basis. 

This document does not purport to give legal advice. For any queries relating to data protection (including information about data breach reporting), please do not hesitate to contact Dr. Claude Micallef-Grimaud or Dr. Antoine Camilleri.