Data protection issues when emailing many recipients

[Nogood Boyo]

When a club emails newsletters etc to all its members, are there any data
protection issues involved if names / email addresses of other members are
disclosed in the To: field?

(Email programs seem to have a mind of their own as to the way in which
names and email addresses are displayed - sometimes just name, sometimes
just email, sometimes both).

Some organisations use Bcc: to hide such addresses but I'm not keen on that,
because I find it helpful to know who else has received an email, so that I
know whether or not I need to share it with others.

Advice appreciated.

Nogood Boyo

[Clive George]

Use BCC for bulk emails of things like newsletters - it's the right
thing to do, regardless of legal issues. For such things you don't need
to know who else has received it - it should be the entire club.

If you're worried about fellow club members not receiving the emails,
asking them is the right thing to do rather than putting everybody in
the "to" list.

BCC also solves the problem of reply-all storms - which normally happens
in a work context, but is worth avoiding :-) If you're ever the
recipient of one of these you very quickly realise why BCC is the right
thing.

For private communication, eg within a committee about the finances of
the club, where you will want to know who else has got it, the number of
recipients should be small enough that CC/TO is the right thing to do.

[Martin Bonner]

On Friday, 20 February 2015 14:09:21 UTC, Nogood Boyo wrote:
> When a club emails newsletters etc to all its members, are there any data
> protection issues involved if names / email addresses of other members are
> disclosed in the To: field?
>
> (Email programs seem to have a mind of their own as to the way in which
> names and email addresses are displayed - sometimes just name, sometimes
> just email, sometimes both).

I don't know of any email client which doesn't make the email address
of all the "To:/CC:" recipients available. It may display as:
Martin Bonner
or
Martin Bonner <martin...@yahoo.co.uk>
or
martin...@yahoo.co.uk

but the actual email address is always available. You can right click
on the name, or *something* to display the email address.

I agree - BCC is the right thing to do for bulk email. I would get
cross with an organization that *didn't* BCC me if there are more than
about 10 recipients.

[Jon Ribbens]

On 2015-02-20, Nogood Boyo <use...@bwllfa.co.uk> wrote:
> When a club emails newsletters etc to all its members, are there any data
> protection issues involved if names / email addresses of other members are
> disclosed in the To: field?

Yes. Unless you're talking about an absolutely tiny number of people,
do not do that, it would be illegal. This is the sort of thing that
gets organisation in big trouble if they do it *by accident* let alone
if you were to do it deliberately.

> Some organisations use Bcc: to hide such addresses but I'm not keen on that,
> because I find it helpful to know who else has received an email, so that I
> know whether or not I need to share it with others.

I might find it helpful to shove people out of the way if they're in
front of me in a queue, but that doesn't mean it's reasonable or legal
for me to do so.

[Roland Perry]

In message <I_idncxMDaCn1HrJ...@brightview.co.uk>, Clive
George <cl...@xxxx-x.fsnet.co.uk> writes

>Use BCC for bulk emails of things like newsletters - it's the right
>thing to do, regardless of legal issues.

Although it's a good way to have emails undelivered because some
anti-spam systems don't like it.

I'd suggest using some 'proper' list emailing software, such as
Mailchimp.
--
Roland Perry

[JohnDavidson]

--------------------

It has been a long-standing convention to put multiple recipients into the
BCC field (and typically address the email to yourself. There are two
primary reasons:

1. Not everyone might want their email address communicated to all the
recipients; while you might have their permission to send them emails, do
you have their permission to share their email address?

2. In the event that one of the recipient's emails is infected with a virus,
it's likely that the virus will attempt to harvest every email address it
can find on the infected machine and attempt to propagate itself to those
addresses.

An email from a well managed club should contain information at the footer
along the lines of "you have been sent this email because you are a member
of the Nether Wallop Bog Snorkelling Society". On that basis, you have no
need to take further action, but if your club doesn't do this, I'd have a
word.

Lastly, I'd tend to go along with another poster's comment about using a
mailing service. Mailchimp - the one already mentioned - is free for a
fairly large number of users, is easy to set up and emails everyone
individually, thus getting around the whole problem.


---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

[Tim+]

Except, that if you look at all the headers, I'm pretty sure that all the
recipients addresses are there even when you use BCC. Certainly on casual
inspection all that you see is yourself as a recipient.

Tim

[Mark Goodge]

On Fri, 20 Feb 2015 14:04:18 -0000, Nogood Boyo put finger to keyboard and
typed:

>When a club emails newsletters etc to all its members, are there any data
>protection issues involved if names / email addresses of other members are
>disclosed in the To: field?

Yes. It's potentially (and quite probably) a data protection breach. And
not a hypothetical one, either, organisations quite often get into trouble
with the ICO for this kind of thing. It only takes one complaint.

>(Email programs seem to have a mind of their own as to the way in which
>names and email addresses are displayed - sometimes just name, sometimes
>just email, sometimes both).

That generally depends on whether or not the name and address are already
in its own address book.

>Some organisations use Bcc: to hide such addresses but I'm not keen on that,
>because I find it helpful to know who else has received an email, so that I
>know whether or not I need to share it with others.

If you're using Bcc, then you can make the primary adddress something like
"allme...@example.com" so that everyone knows it's gone to all members.

But if the club has more than a handful of members then you should be using
proper mailing list software for that sort of thing anyway. Lack of ability
to run the software yourself is not a reason not to; several ESPs
(including MailChimp, probably the most popular) offer a free service for
small (up to a couple of thousand recipients) mailings. Using them not only
protects you against breaking the law, but it's actually easier than
hand-crafting a list of recipients and your emails look more professional,
too.

Mark
--
Please take a short survey on smartphones: http://goodge.eu/an
My blog: http://www.markgoodge.uk

[Mark Goodge]

On Fri, 20 Feb 2015 17:18:30 +0000, Tim+ put finger to keyboard and typed:

No, they're not. Bcc is split out by the mail server, and each recipient
only sees the Bcc address.

[Roland Perry]

In message <dgseeah7kl1lhtotd...@news.markshouse.net>,
Mark Goodge <use...@listmail.good-stuff.co.uk> writes

>>(Email programs seem to have a mind of their own as to the way in which
>>names and email addresses are displayed - sometimes just name, sometimes
>>just email, sometimes both).
>
>That generally depends on whether or not the name and address are
>already in its own address book.

Makes no difference here. I always see exactly what's in the "From:"
header line; no more, no less, and anything already in the address book
is irrelevant.
--
Roland Perry

[tim.....]

"Mark Goodge" <use...@listmail.good-stuff.co.uk> wrote in message
news:dgseeah7kl1lhtotd...@news.markshouse.net...

> On Fri, 20 Feb 2015 14:04:18 -0000, Nogood Boyo put finger to keyboard and
> typed:
>
>>When a club emails newsletters etc to all its members, are there any data
>>protection issues involved if names / email addresses of other members are
>>disclosed in the To: field?
>
> Yes. It's potentially (and quite probably) a data protection breach.

what, if the only people who get the information are the members?

Surely in a "club" all of the members know who are the other members, so
what is the "personal" information that has been revealed by them receiving
the list again

tim

[Nogood Boyo]

"Mark Goodge" <use...@listmail.good-stuff.co.uk> wrote in message
news:dgseeah7kl1lhtotd...@news.markshouse.net...

Thanks everyone. Advice appreciated.

Nogood Boyo

[Roland Perry]

In message <mc800h$b7d$1...@dont-email.me>, tim.....
<tims_n...@yahoo.co.uk> writes

>>>When a club emails newsletters etc to all its members, are there any data
>>>protection issues involved if names / email addresses of other members are
>>>disclosed in the To: field?
>>
>> Yes. It's potentially (and quite probably) a data protection breach.
>
>what, if the only people who get the information are the members?
>
>Surely in a "club" all of the members know who are the other members,
>so what is the "personal" information that has been revealed by them
>receiving the list again

Personal Information is well defined, I trust we don't need to go over
that. There's no exemption for unlawfully processing[1] personal data
that's already known to some of the people you leak it to. The only
get-out might be a sort of super domestic-exemption, but I don't think
that would apply in these circumstances.

[1] Which includes distributing it.
--
Roland Perry

[Mark Goodge]

On Fri, 20 Feb 2015 18:56:54 -0000, tim..... put finger to keyboard and

typed:

>
>"Mark Goodge" <use...@listmail.good-stuff.co.uk> wrote in message
>news:dgseeah7kl1lhtotd...@news.markshouse.net...
>> On Fri, 20 Feb 2015 14:04:18 -0000, Nogood Boyo put finger to keyboard and
>> typed:
>>
>>>When a club emails newsletters etc to all its members, are there any data
>>>protection issues involved if names / email addresses of other members are
>>>disclosed in the To: field?
>>
>> Yes. It's potentially (and quite probably) a data protection breach.
>
>what, if the only people who get the information are the members?

Yes.

>Surely in a "club" all of the members know who are the other members, so
>what is the "personal" information that has been revealed by them receiving
>the list again

If it's a very small club, possibly. But even so, they may not have given
permission for their email addresses to be shared with everyone else. And
there's no overriding reason why everyone in a club will of necessity know
everyone else. When I was a member of a sailing club, I certainly didn't
know every other member - especially given that many of them were social
members only, and didn't participate in racing. And that was only a
relatively small club.

[spuorg...@gowanhill.com]

On Friday, 20 February 2015 20:32:32 UTC, Mark Goodge wrote:
> >> Yes. It's potentially (and quite probably) a data protection breach.
> >what, if the only people who get the information are the members?
> Yes.

> If it's a very small club, possibly. But even so, they may not have given
> permission for their email addresses to be shared with everyone else.

Also, it may be that it's not only the members who will receive the email. IME, in quite a lot of "older people's" households in particular, one person has the computer and does the emailing etc for the couple and they share the address.

Therefore if A is married to B (and they use A's address), and C is married to D (and they use D's address), and B and C are in the group, a CC'd email to B and C may disclose A's address to D.

Younger people are much more likely to have individual addresses and individual access on tablets etc.

Owain

[Paul Rudin]

Tim+ <timdow...@yahoo.co.uk> writes:


> Except, that if you look at all the headers, I'm pretty sure that all the
> recipients addresses are there even when you use BCC.

No - they are not. (Or at least, not unless you're using a very broken
mail server.)

[polygonum]

On 20/02/2015 14:04, Nogood Boyo wrote:

BCC is not adequate for many reasons. Not least the ease with which a
mistake can be made. It hasn't happened in years, but I have had several
such where the sender accidentally used CC and I saw hundreds of
addresses. Large numbers of recipients can also be a trigger for spam
filtering.

Not that mailing-list software is entirely foolproof. The other day one
of the organisations we deal with sent out their regular newsletter.
Unfortunately, instead of sending a link to the actual newsletter, it
was attached. The software spent the best part of three days sending
individual emails with this large attachment... But when it works, it
simply works its way through sending individual emails. That also makes
handling re-sends easier because they have a nice, neat list of
addresses that could not be sent to.

--
Rod

[Roland Perry]

In message <368cbcf9-4db9-4ff4...@googlegroups.com>,
spuorg...@gowanhill.com writes

>> >> Yes. It's potentially (and quite probably) a data protection breach.
>> >what, if the only people who get the information are the members?
>> Yes.
>> If it's a very small club, possibly. But even so, they may not have given
>> permission for their email addresses to be shared with everyone else.
>
>Also, it may be that it's not only the members who will receive the
>email. IME, in quite a lot of "older people's" households in
>particular, one person has the computer and does the emailing etc for
>the couple and they share the address.
>
>Therefore if A is married to B (and they use A's address), and C is
>married to D (and they use D's address), and B and C are in the group,
>a CC'd email to B and C may disclose A's address to D.

While I agree that the addresses should not be leaked in the first
place, I'd argue that A's email address if consistently shared with B
*is* also B's email address (same for C&D).

Looked at another way, both A and D will be familiar with, and
consenting to, "their" email address being disclosed to *all* B & C's
correspondents.
--
Roland Perry

[Mark Goodge]

On Sat, 21 Feb 2015 09:10:53 +0000, Roland Perry put finger to keyboard and
typed:

Yes, but it's the converse which is the issue. If Alice and Brian share an
email address, but only Alice is a member of the club that both Clara and
David also belong to, David and Clara may have agreed to share their email
addresses with Alice, but not with Brian.

[Roland Perry]

In message <aimgeal7j9apeea0l...@news.markshouse.net>,
Mark Goodge <use...@listmail.good-stuff.co.uk> writes

>>>Therefore if A is married to B (and they use A's address), and C is
>>>married to D (and they use D's address), and B and C are in the group,
>>>a CC'd email to B and C may disclose A's address to D.
>>
>>While I agree that the addresses should not be leaked in the first
>>place, I'd argue that A's email address if consistently shared with B
>>*is* also B's email address (same for C&D).
>>
>>Looked at another way, both A and D will be familiar with, and
>>consenting to, "their" email address being disclosed to *all* B & C's
>>correspondents.
>
>Yes, but it's the converse which is the issue. If Alice and Brian share an
>email address, but only Alice is a member of the club that both Clara and
>David also belong to, David and Clara may have agreed to share their email
>addresses with Alice, but not with Brian.

David and Clara have agreed to share their email address (singular) with
anyone that either of them corresponds with - that much is clear from
the configuration and their custom and practice. Indeed some couples I
know make it even more explicit by having a joint email address of the
form 'DavidClaraSurname@'.

What about when the emails have arrived? Well, there's no difference for
these purposes between sending to an email address that's shared between
Alice and Brian, or sending to a unique email address for Alice which is
collected in a mailbox/account which is shared by Alice and Brian (and
maybe even other members of their household) where everyone can see each
other's emails.

Would you regard the latter situation as some form of breach of DPA
(given that households don't need to notify as data processors), or
simply a risk that anyone takes sending an email to a such an
address/account?

--
Roland Perry

[spuorg...@gowanhill.com]

On Saturday, 21 February 2015 09:15:27 UTC, Roland Perry wrote:
> Looked at another way, both A and D will be familiar with, and
> consenting to, "their" email address being disclosed to *all* B & C's
> correspondents.

But despite being members of the same club, B and C might not correspond with each other. They might not know each other. Or they might know each other, but not that each other is in the same club. They don't consent to or expect the club to share their email addresses with everyone else in the club.

David might not expect that, when Clara goes to the group for partners of alcoholics, his email address will be sent to Alice, who happens to be his manager at work, and vice versa.

Owain

[Mark Goodge]

On Sat, 21 Feb 2015 11:41:23 +0000, Roland Perry put finger to keyboard and
typed:

>David and Clara have agreed to share their email address (singular) with
>anyone that either of them corresponds with - that much is clear from
>the configuration and their custom and practice. Indeed some couples I
>know make it even more explicit by having a joint email address of the
>form 'DavidClaraSurname@'.
>
>What about when the emails have arrived? Well, there's no difference for
>these purposes between sending to an email address that's shared between
>Alice and Brian, or sending to a unique email address for Alice which is
>collected in a mailbox/account which is shared by Alice and Brian (and
>maybe even other members of their household) where everyone can see each
>other's emails.
>
>Would you regard the latter situation as some form of breach of DPA
>(given that households don't need to notify as data processors), or
>simply a risk that anyone takes sending an email to a such an
>address/account?

If Alice gives permission for her email address to be made available to
David, but not Clara, then anyone who makes it available to Clara, or
facilitates doing so, is potentially in brach of the DPA. If it is David
himself who does so, and Clara is a member of his own household, then the
household exemption comes into play and David isn't in breach. But if Eric
knowns that Brian shares all his data with Clara, and makes Alice's email
address available to David even though Eric knows that Alice has not given
permission for it to be made available to Clara, then Eric, if he is acting
on behalf of a data processor (eg, a club) is in breach. The only way he
can avoid being in breach is not to send Alice's email address to David.

[Roland Perry]

In message <84f54fe0-e89f-4e1f...@googlegroups.com>,
spuorg...@gowanhill.com writes

Obviously the "don't use bcc:" thing will stop most of the
inter-household leakage in the case of the club. The intra-household
leakage is inherent in sharing the email address.

In the general case no-one can be surprised if an email sent to a person
is also accessible to their partner, as a consequence of all sorts of
sharing that might be going on.

Not just sharing email addresses, but also the sharing of a PC or the
sharing of a 'classic' email account where all the emails for the
household arrive in one "Outlook-ish" display window.

Having individual email addresses, and using webmail, or making sure the
emails are delivered to separate 'computers' (one or more of which might
be tablets/phones these days), will increase the privacy for both
senders and recipients.

But we should never forget the old maxim of "never send anything in an
email that you wouldn't put on the back of a postcard (to be picked up
from the doormat by anyone who happens to be passing)".
--
Roland Perry

[Roland Perry]

In message <061heatb6oguk9pvn...@news.markshouse.net>,
Mark Goodge <use...@listmail.good-stuff.co.uk> writes

>>David and Clara have agreed to share their email address (singular) with
>>anyone that either of them corresponds with - that much is clear from
>>the configuration and their custom and practice. Indeed some couples I
>>know make it even more explicit by having a joint email address of the
>>form 'DavidClaraSurname@'.
>>
>>What about when the emails have arrived? Well, there's no difference for
>>these purposes between sending to an email address that's shared between
>>Alice and Brian, or sending to a unique email address for Alice which is
>>collected in a mailbox/account which is shared by Alice and Brian (and
>>maybe even other members of their household) where everyone can see each
>>other's emails.
>>
>>Would you regard the latter situation as some form of breach of DPA
>>(given that households don't need to notify as data processors), or
>>simply a risk that anyone takes sending an email to a such an
>>address/account?
>
>If Alice gives permission for her email address

The one she shares with Brian

>to be made available to David, but not Clara, then anyone who makes it
>available to Clara, or facilitates doing so, is potentially in brach of
>the DPA.

Clearly, if Alice knows that Clara and David share an email address,
then there's a presumption she has consented. Particularly if the shared
email address is Clara@ (often it's a male dominated sharing, but I
recently started corresponding with someone who shares his wife's email
address).

>If it is David himself who does so, and Clara is a member of his own
>household, then the household exemption comes into play and David isn't
>in breach.

Agreed.

>But if Eric knowns that Brian

Do you mean David?

>shares all his data with Clara, and makes Alice's email address

Even if that email address is Brian@, and he's unware the intended
recipient is Alice?

>available to David even though Eric knows that Alice has not given
>permission for it to be made available to Clara,

Knows that she has omitted to convey her permission to him (because, why
would she); or knows she has positively communicated "I do not permit"?

Obviously he would also have to know that Brian@ is also Alice's email
address, and that in the circumstances the mailing is meant for Alice
and not Brian.

>then Eric, if he is acting on behalf of a data processor (eg, a club)

Does the club have to Notify?

>is in breach. The only way he can avoid being in breach is not to send
>Alice's email address to David.

Which means he can't send the email at all [quite separately from the
bcc: scenario; just a one-off "to:" would equally well infringe].

This is a massive can of worms, and makes it virtually impossible to
send an email to anyone who you might even slightly suspect shares an
email account, or an email client, with someone else - unless you have a
cast-iron list of permissions from everyone involved.
--
Roland Perry

[Mark Goodge]

On Sat, 21 Feb 2015 14:11:27 +0000, Roland Perry put finger to keyboard and
typed:

Yes, sorry.

>>shares all his data with Clara, and makes Alice's email address
>
>Even if that email address is Brian@, and he's unware the intended
>recipient is Alice?
>
>>available to David even though Eric knows that Alice has not given
>>permission for it to be made available to Clara,
>
>Knows that she has omitted to convey her permission to him (because, why
>would she); or knows she has positively communicated "I do not permit"?
>
>Obviously he would also have to know that Brian@ is also Alice's email
>address, and that in the circumstances the mailing is meant for Alice
>and not Brian.
>
>>then Eric, if he is acting on behalf of a data processor (eg, a club)
>
>Does the club have to Notify?

Unless it's covered by one of the exemptions, yes.

>
>>is in breach. The only way he can avoid being in breach is not to send
>>Alice's email address to David.
>
>Which means he can't send the email at all [quite separately from the
>bcc: scenario; just a one-off "to:" would equally well infringe].
>
>This is a massive can of worms, and makes it virtually impossible to
>send an email to anyone who you might even slightly suspect shares an
>email account, or an email client, with someone else - unless you have a
>cast-iron list of permissions from everyone involved.

You can still send one-to-one emails to anyone you know. If they happen to
then share your email address with other members of their family then
that's not a DPA issue. Equally, a group of friends can send emails back
and forth as much as they like. As can a group of colleagues, customers and
suppliers using business email addresses.

Where it becomes a matter for the law is when the sender is acting on
behalf of an organisation which is a data processor in thse sense used by
the DPA. In that case, any situation in which the sender reveals one
person's private email address to another person, without permission, is in
danger of breaching the DPA.

[Roland Perry]

In message <i1vhea1h1e1n494s4...@news.markshouse.net>,
Mark Goodge <use...@listmail.good-stuff.co.uk> writes

>You can still send one-to-one emails to anyone you know. If they happen
>to then share your email address with other members of their family
>then that's not a DPA issue.

OK. So it's fine for Brian to email David saying "Alice says she will
see you later today at the AA meeting", when Clara is Alice's boss and
gets to see the email because she shares an inbox/address with her
husband?

>Equally, a group of friends can send emails back and forth as much as
>they like. As can a group of colleagues, customers and suppliers using
>business email addresses.
>
>Where it becomes a matter for the law is when the sender is acting on
>behalf of an organisation which is a data processor in thse sense used
>by the DPA. In that case, any situation in which the sender reveals one
>person's private email address to another person, without permission,
>is in danger of breaching the DPA.

The situation under discussion is where the confidential personal data
[it isn't restricted to just email addresses] is being revealed to
"other members of the family sharing an account", in addition to the
person it was intended to be informing.

How does the sender know that this sharing is going to happen, and in
order to comply with DPA must he ensure that emails are never sent to
such shared accounts?
--
Roland Perry

[Mark Goodge]

On Sun, 22 Feb 2015 10:01:08 +0000, Roland Perry put finger to keyboard and
typed:

>In message <i1vhea1h1e1n494s4...@news.markshouse.net>,
>Mark Goodge <use...@listmail.good-stuff.co.uk> writes
>>You can still send one-to-one emails to anyone you know. If they happen
>>to then share your email address with other members of their family
>>then that's not a DPA issue.
>
>OK. So it's fine for Brian to email David saying "Alice says she will
>see you later today at the AA meeting", when Clara is Alice's boss and
>gets to see the email because she shares an inbox/address with her
>husband?

Probably not, but in this case it probably wouldn't be actionable.

>The situation under discussion is where the confidential personal data
>[it isn't restricted to just email addresses] is being revealed to
>"other members of the family sharing an account", in addition to the
>person it was intended to be informing.
>
>How does the sender know that this sharing is going to happen, and in
>order to comply with DPA must he ensure that emails are never sent to
>such shared accounts?

The sender doesn't know whether or not this sharing is going to happen.
Therefore the sender cannot assume that it will not. That's one of the
reasons why it is *always* wrong for an organisation, such as a club, to
send out a mailing to members with multiple recipients in the To or Cc
lines.

(There are other, more morally important, reasons why not, of course, but
this is the most relevant legal reason).

[Roland Perry]

In message <85ojeadddktk8cvs7...@news.markshouse.net>,
Mark Goodge <use...@listmail.good-stuff.co.uk> writes

>>The situation under discussion is where the confidential personal data
>>[it isn't restricted to just email addresses] is being revealed to
>>"other members of the family sharing an account", in addition to the
>>person it was intended to be informing.
>>
>>How does the sender know that this sharing is going to happen, and in
>>order to comply with DPA must he ensure that emails are never sent to
>>such shared accounts?
>
>The sender doesn't know whether or not this sharing is going to happen.
>Therefore the sender cannot assume that it will not. That's one of the
>reasons why it is *always* wrong for an organisation, such as a club,
>to send out a mailing to members with multiple recipients in the To or
>Cc lines.

I've moved on from the leakage in to:/cc: lines (which we all seem to
agree is bad) to considering other situations where an email might
contain personal data for one occupant of the household, which is then
revealed to all the other occupants.

One example might be a person sharing the email account signing
themselves up to a UKIP mailing list, and that mailing list admin [as is
normally regarded as good practice] emailing back saying "if you really
did request an account for UKIP's mailing list, click this link to
confirm".

(This would potentially reveal not just personal data, but *sensitive*
personal data:

"In this Act [DPA 1998] 'sensitive personal data' means personal data
consisting of information as to

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,"

<etc>)
--
Roland Perry

[Mark Goodge]

On Sun, 22 Feb 2015 15:50:55 +0000, Roland Perry put finger to keyboard and
typed:

In that case, though, it would only be going back to the person who sent
it, so they are presumably already giving permission for the pwerson they
share the address with to read all their emails.

[Clive Page]

On 20/02/2015 18:56, tim..... wrote:
>
> Surely in a "club" all of the members know who are the other members, so
> what is the "personal" information that has been revealed by them
> receiving the list again

It may be that in a smallish club all the members know all the others,
at least by sight. But they won't necessarily know their email
addresses. If your club members have given their explicit permission
for their contact details to be provided to all other members of the
club then that's surely ok, but in many cases they have only given their
email address so that those running the club can contact them.

Thia is actually a serious problem for a club that I help to run. We'd
like to set up a mechanism for members to contact each other, e.g. so
that members can pass on unwanted event places to others who may be on
the waiting list, but to do that I understand that we would have to ask
all the members for that explicit permission. We could do that, but
would then potentially end up with two classes of member: those who
agree that we can give their email address to any of the other members,
and those who don't. Just setting up two separate lists to handle that
is just too much trouble, so at present we have just not bothered to set
up the transfer mechanism.


--
Clive Page

[spuorg...@gowanhill.com]

On Sunday, 22 February 2015 20:39:33 UTC, Clive Page wrote:
> Thia is actually a serious problem for a club that I help to run. We'd
> like to set up a mechanism for members to contact each other, e.g. so
> that members can pass on unwanted event places to others who may be on
> the waiting list, but to do that I understand that we would have to ask
> all the members for that explicit permission. We could do that, but
> would then potentially end up with two classes of member: those who
> agree that we can give their email address to any of the other members,
> and those who don't. Just setting up two separate lists to handle that
> is just too much trouble, so at present we have just not bothered to set
> up the transfer mechanism.

Some form of forum / wiki / BBS/ usergroup would be useful; these often have a personal messaging facility which doesn't disclose email addresses, or an alert mechanism where people get an email alert whenever a page is updated or there's a new posting.

I know one place that uses http://www.pbworks.com/ to host a wiki-thing.

Owain

[Allan]

On 20/02/2015 14:04, Nogood Boyo wrote:
> When a club emails newsletters etc to all its members, are there any data
> protection issues involved if names / email addresses of other members are
> disclosed in the To: field?
>
> (Email programs seem to have a mind of their own as to the way in which
> names and email addresses are displayed - sometimes just name, sometimes
> just email, sometimes both).
>
> Some organisations use Bcc: to hide such addresses but I'm not keen on that,
> because I find it helpful to know who else has received an email, so that I
> know whether or not I need to share it with others.
>
> Advice appreciated.
>
> Nogood Boyo

I've been doing a bit of research into this as I have an issue with a NZ
organisation who sent a survey e-mail out with ~30 customers in the To:
field, including me. Before going back to the organisation, I had a
look round for equivalent Data Protection organisations and found the
following by way of reference to good practice:

UK: https://ico.org.uk/for-organisations/it-security-top-tips/

Irish: http://www.dataprotection.ie/docs/FAQ-mailing-lists/929.htm

NZ:
https://www.privacy.org.nz/news-and-publications/guidance-resources/data-safety-toolkit/

(if necessary, search for bcc in the above urls to find the relevant bit)


I know the OP asked about Data Protection issues, but I'm glad at least
one poster on this thread mentioned the virus/harvesting risk. Exposing
e-mail addresses may involve Data Protection issues, but the risk in
virus propogation is much greater (IMHO).

Allan

[Iain]

Nogood Boyo wrote:
> When a club emails newsletters etc to all its members, are there any
> data protection issues involved if names / email addresses of other
> members are disclosed in the To: field?
>
> (Email programs seem to have a mind of their own as to the way in
> which names and email addresses are displayed - sometimes just name,
> sometimes just email, sometimes both).
>
> Some organisations use Bcc: to hide such addresses but I'm not keen
> on that, because I find it helpful to know who else has received an
> email, so that I know whether or not I need to share it with others.
>
> Advice appreciated.
>
> Nogood Boyo

A few years ago, I spoke to the ICO specifically about this subject. The
conclusion was:
1) Email addresses are defined as personally identifiable data and therefore
should not be divulged to other parties;
2) When an email address is given to an organisation, it is normally with
the understanding that the email address is kept confidential.

The conclusion was that to send bulk emails using the 'To' field is a
probably breach of the first principle of the DPA. The correct (and
expected) method is to use the 'BCC' field. That is if this method is being
used.


Below is what I posted on 10th Jan 2011 (and I have just checked - I still
have the recording):

"According to the Information Commissioner's Office helpline, you are wrong.
What you and I quoted is specifically the example that she gave me.
Apparently it is probably a breach of the DPA as they should have used the
BCC (if it is available).
[The example was JoeB...@joebloggs.co.uk]

The Act iteself defines personal data in its very first section - data which
relates to a living individual who could be identified from those data. Not
using the BCC facility is likely to be a breach of the first principle -
processing data fairly and lawfully.

If that organisation is going to do something with that individual's
personal data that they might not reasonably expect, then they should
provide them with some fair processing information. She added that it does
not actually say that within the first principle, but that is how they
interpret it [which is what we would need to go on].

She went on to say that if someone gave an email address to a company, they
wouldn't normally expect it to be disclosed to a third party if they hadn't
been told that that was going to be the case. If they had been given fair
processing information that they were going to disclose it to all those
people, then fine. If they haven't been and it's accidentally disclosed in
that way, then it's like to be a breach of the first principle of the Act.

(This is a summary from a recorded conversation)

IANAL, but but I telephoned to check up!"


--
Iain