To BCC or Not to BCC? That Is the Question

Sending an email to a group of people without using the blind carbon copy (BCC) field might not seem like a big deal – but it’s important to remember that email addresses are personal information.

In Saskatchewan, The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) requires municipalities and hamlets to have administrative, technical and physical safeguards in place to protect personal information – including the personal email addresses of ratepayers.

Earlier this year, the Office of the Saskatchewan Information and Privacy Commissioner (IPC) released a report following an investigation into an organized hamlet that emailed hundreds of ratepayers without BCCing the recipients. The report offers a valuable reminder of the steps municipalities must take to protect the personal information under their control.

Email Was Sent to Hundreds of Ratepayers

In this case, the hamlet chair emailed a notice to more than 200 ratepayers without using the BCC field for the recipients’ email addresses, which meant the addresses were viewable to everyone included on the email. Shortly after the email was sent, the hamlet chair sent another email apologizing for the mistake and asking ratepayers to delete the previous email.

One of the ratepayers filed a complaint with the rural municipality that is home to the hamlet in question. After the municipality advised the ratepayer that the privacy breach had been dealt with appropriately, the ratepayer filed a complaint with the IPC, which went on to investigate the matter.

Investigation Uncovered Numerous Shortcomings

Once a privacy breach occurs, the IPC recommends government institutions and local authorities – including municipalities and hamlets – take the following steps:

  • Contain the privacy breach
  • Notify affected individuals
  • Investigate the breach
  • Prevent future breaches

While the municipality in this case claimed that the hamlet had followed each of those steps, the IPC’s investigation uncovered numerous shortcomings.

For instance, the hamlet chair requested that ratepayers delete the first email, but he did not request confirmation that the email had been deleted – making it unclear if the breach had, in fact, been contained. Nor did he attempt to recall the first email.

The IPC also found that while the hamlet did notify ratepayers of the breach, the notification was missing certain details the IPC recommends including, such as the steps taken and planned to prevent future breaches and informing individuals that they have a right to complain to the IPC.

In considering whether the municipality had taken steps to investigate the breach and prevent future breaches, the IPC discovered the municipality did not have a privacy policy and that its staff had not received any privacy training.

“The only safeguard that was in place was a communication policy that did not address the [municipality’s] privacy obligations when using electronic communications,” read the IPC report.

Recommendations Include Implementing a Privacy Policy

To prevent and address future breaches, the IPC recommended that the municipality:

  • develop a policy for responding to privacy breaches that includes measures for containing a breach and notifying affected parties;
  • develop a privacy policy addressing the collection, use and disclosure of personal information in compliance with LA FOIP;
  • have all staff sign a confidentiality agreement;
  • have annual privacy training for all staff; and
  • address the use of BCC fields in its communications policy.

Are You Meeting Your Privacy Law Obligations?

This case serves as important reminder to municipalities to have proper safeguards in place for protecting ratepayers’ personal information. Municipalities may face more serious consequences including reputational impacts for failing to protect personal information.

MLT Aikins has extensive experience advising municipalities on their privacy law obligations. We have helped municipalities develop privacy policies, confidentiality agreements, breach response policies and privacy training for staff. Contact our Municipal or Privacy, Data Protection & Cybersecurity group to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.