In brief

In 2018, approximately 3000 individuals had their personal information compromised over a three month period due to a sender’s failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.

What you need to know

  • In 2018, six notifiable data breaches were reported to the  Office of the Australian Information Commissioner (OAIC) over a three month period in relation to failing to use the BCC function when sending an email, with an average of 494 individuals affected in each breach.
  • The breaches involved sending an email to a group by including all recipient email addresses in the ‘To’ field resulting in the inadvertent disclosure of all email addresses to all recipients.

What you need to do

  • Consider reviewing staff training policies regarding the collection, handling, use and disclosure of personal information in order to comply with the Privacy Act 1988 (Cth) (Privacy Act).
  • Take steps to update your staff training policies regarding email usage to ensure they comply with the Spam Act 2003 (Cth). The sending of commercial electronic messages may also trigger anti-spam laws.
  • Seek to understand the recent Notifiable Data Breaches (NDB) laws which will assist in effectively managing communications in your organisation moving forward.

The Privacy Act

The Privacy Act sets out various rights and obligations in relation to the collection, handling, use and disclosure of personal information.

Those organisations which are required to comply with the Privacy Act must understand what can and cannot be done when sending emails to multiple recipients.  (Please note, not all individuals or organisations are required to comply with the Privacy Act – some limited exceptions apply. It is important that you check with the OAIC to confirm whether you are impacted.)


Human error, for example not using the BCC email function in mass emails, made up more than a third of all data breaches according to the October 2018 OAIC NDB Quarterly Statistics Report.

Organisations required to comply with the NDB scheme have notification obligations to the OAIC and the individuals affected in these instances. For further information on whether your organisation is required to comply with the NDB scheme, visit the OAIC website.


It is vital that organisations sending mass emails check, re-check and check again the intended recipients of an email containing personal information to ensure the disclosure does not constitute a data breach.  If your organisation is required to comply with the NDB scheme, it is important to take appropriate actions, such as those outlined above. This may assist your organisation to reduce NDB incidents and ultimately avoid the obligation to notify the OAIC and affected individuals.

Related News

I didn’t use the BCC email function – have I just breached privacy laws?

Sent a mass email and didn’t BCC all recipients? You could be breaching data breach notification laws.
7 February, 2019