Is this a breach of GDPR?

[GDPR]

Not necessarily an AIBU, I’m just posting here for traffic!

I recently moved into a new private rental within a large block of flats. Some weeks ago I found out that there needs to be work carried out on the building and everyone who lives within a certain side of the building will have a surveyor who needs access to the flats.

Today I received an email from a member of the Tenants Association regarding the surveyors availability and instead of sending the email via BCC. He’s CC’d at least 50 tenants all into one email. That’s 50 strangers (yes we live in the same building but do we need access to each other’s email addresses without consent? I don’t think so) whose personal data have been shared just like that.

Some people have already replied asking why their email address has been shared with others and I’m wondering the same thing. I’m sure people may think, ‘well it’s hardly the end of the world if people have your email address’ but I don’t think other tenants should have access to it in the first place. Is this a breach of GDPR? Do organisations like a Tenants Association Group need to protect people’s data the same way that larger businesses do?

I’m not going to do anything about it but I just wondered whether they’re in the wrong or not tbh

Yes, it's a data breach. Contact the ICO for more info.

It would seem like a breach to me.

Yes, as it is an unauthorised disclosure of personal information.

it is - but how is the association funded? If it's funded by a levy on all the tenants, you're kind of shooting yourself in the foot if they are fined

Maybe as a first approach a politely worded email explaining the legal position and explain how to use BCC on mass emails would achieve more?

Thank you for the comments. I did think it was a breach of GDPR but I wasn’t 100% sure.

@ThinWomansBrain as mentioned in the OP, I’ve only moved here recently so I’m not too clued up about how everything works. I personally won’t be reporting anyone but there are tenants that have responded who aren’t too happy at all. I’ll certainly respond and inform them about the law and the use of the BCC function

It depends if the source of the email was an organisation or business governed by the Data Protection Act.

For example it wouldn’t be a breach of GDPR if I CC’d all my neighbours in to an email from my personal account to raise a concern about neighbourhood issue.

However, if I CC’d all my neighbours in to a business email promoting my gardening services it would be.

The email was from a business email (the Tenants Association email address) in regards to building work. Seems pretty formal to me and I don’t think are emails should have been shared with one another

Yes, in breach of gdpr. But if it's a small organisation you are likely dealing with someone who sent an email and CCed rather than BCCed accidentally. They probably don't have the tech to prevent human error.

Strictly speaking yes but it’s minor (if annoying for some) so the ICO won’t do anything.

As pp said it is a data breach but it's a minor one as the data is not sensitive.

It's best dealt with through common sense, the sender should apologise and ask recipients to delete the email.

The GDPR violation is not so much in the fact that the e-mails were sent, as that the TA has not put steps in place to stop it happening. That is, whoever sent the mail should have undergone training as to how to send an e-mail to 50 people securely.

I suspect that there are many millions of very small organisations that have not done that. To do so would have collectively cost them hundreds of millions of pounds. I don't think the tenants would necessarily be impressed to find a line item in the expenses for £200 or whatever to learn how to send e-mails. There might be comments about "bureaucracy gorn mad".

As a data breach, it's really not the end of the world. E-mail addresses are not really ultra-sensitive information about the average person (and if yours is, then get a burner Gmail account for everyone except your CIA handlers or whatever). If you know only that the person who lives below you is called Clyde and there is a Clyde.Barrow47(at)btinternet.com on the list, well, you've learned his surname. Nobody is going to be harvesting the addresses for spam.

(I'm old enough to remember when you were meant to be very careful with your phone number, but WhatsApp has basically put paid to that.)

I honestly thought everyone knew the difference of CC and BCC but clearly not!

Most common course of data breaches.
Along with using autofill and putting in the wrong email address - because people are in a rush.

Well well well it’s all kicked off somehow!

Instead of apologising and admitting fault, the person that’s sent the email has basically said that they work a voluntary role so don’t appreciate being pulled up on this mistake. I’ve been told that if I have an issue with having my email address shared with other people in the block then I should contact my Landlord. Because that’s really the way the law works isn’t it?!

Just leave this storm in a teacup to blow itself out. It's not a major breach, the ICO will be 0% interested, everybody will get the fuck over it eventually.

whilst it is a privacy breach it’s so low level as to be irrelevant to the ICO (for context I regularly liaise with Supervisory Authorities on matters where significant amounts of sensitive data have been breached and there’s a rarely any consequence).

I actually have a lot of sympathy with the volunteer who is currently under fire. The reality is these are often thankless tasks which are absolutely necessary and I imagine the pile on is making them question why they bother.

Oh I won’t be wasting my time reporting it to anyone, that makes no sense and quite frankly, is a waste of my time.

I’m not a volunteer so I can’t relate but I think the best thing to do would be to apologise for the mistake and move forward. Telling people that you don’t appreciate their tone when they’re frankly unhappy that you’ve shared their email with 50 other strangers, probably isn’t going to help!

I do think people will get over it eventually. From the responses we’ve all received, I wouldn’t hold my breath because it’ll probably happen again anyway!

It is probably not a reportable breach, unless it contained embarrassing or sensitive information about the recipients.

I doubt the ICO would be interested as it’s more of an admin oversight. Email addresses are personal information but on their own they don’t identify anyone personally.

However, the YMCA were fined a considerable sum when the same thing happened, because the email was about treatment in a sexual health service, therefore incredibly sensitive.

it’s more about the impact than the action.

Being a volunteer does not absolve you from GDPR responsibilities. I was a volunteer for many years and although it was before GDPR I knew what I could and could not do and what the consequences might be.

So for example someone who my children went to school with had an unusual surname. They also happened to be a medical professional working in mental health services with some unstable/volatile people. They were once followed around town by a patient who recognised them.

A stray email could alert someone to the fact that they live in that block of flats. That is just one example.

I thought the exact same thing!

Apparently all those that complained just won’t receive future emails. So instead of them sending out a BCC email. They’ll continue to CC everyone into an email and for those that were upset at the breach just won’t receive anything in future. Absolutely batshit

Ha, that's mad.
If you handle data in any way, volunteer or otherwise, you need to know how to handle it lawfully.

I hope no-one signs up the guy's email address for a load of spam / newsletters so he sees how carelessly misusing email addresses can be, at the very least, a nuisance.

This happened with a group I'm involved with. A new admin person started and sent out an introductory email using CC instead of BCC.

I dropped them a message and explained in a friendly way that it's a data breach and they should use BCC in future.

They apologised and said it was a silly mistake and they know now for next time.

That's all you need to happen. There doesn't need to be drama.

An organisation I was part of had a volunteer who used to email out newsletters to everyone without using BCC and couldn't be made to see what she was doing wrong. She finally got the message when someone with MH difficulties started sending emails to everyone one NYE, complaining that the organisation hadn't arranged something for that night and people were getting very angry at receiving these messages.