
UK Government in email privacy blunder - ColinWright
https://www.bbc.co.uk/news/uk-47962405
======
ColinWright
Not so long ago I received an email that included in the header _all the BCC
recipients._

So just training people to use BCC isn't enough, you also need to be sure that
your email system doesn't include the addresses in the header regardless.

------
rahimnathwani
tl;dr - UK government distributed a press release by sending a regular email,
and just putting 300 journalists' addresses in the To and/or CC fields.

I wonder what their normal process is. Same, but using bcc? Using mail merge
(via Word+Outlook)? Using some CRM software?

I'm not sure why this matters anyway. Am I wrong to assume that it's in each
journalist's interest to have their email address known, so that people can
send them tips?

~~~
detaro
The article cites another example of this happening in a way more sensitive
case. In the case of a distribution list to journalists it's not so bad, but
their processes and training should prevent it from happening.

~~~
rahimnathwani
Right, but the other case:

\- was in a totally different part of the government (the Home Office)

\- was targeted communication related to individuals' immigration/residency
status, not a press release meant for wide consumption

I don't imagine the relevant systems, processes or training would have any
overlap. Unless the civil service has some generic training about GDPR and
data protection, which I doubt would do much to prevent mistakes like this.

Sure, it would be nice if there were systems for everything, e.g. if everyone
press release from the government or civil service were distributed via a
single internal system, which would manage the approval work flow for each
department as required, and send individual emails to the right journalists
automatically. But I don't know who would have an incentive to fix these types
of problems.

So I guess most folks just muddle along with ad hoc processes.

