Outcomes - Selected Case Summaries



WORC sends bulk emails without using BCC

Informal Resolution | 22 June 2022

WORC sent a JobsCayman notice to 4000 registrants on the portal without use of the BCC function to protect the identity of the recipients. Many of the personal email addresses allowed for the identification of the addressees. An initial recall was issued, and approximately 2300 emails were successfully recalled, and 300 were undeliverable. A follow up email was sent to the recipients whose emails could not be recalled, requesting that the email be deleted without further disclosure. The registrants were notified in compliance with the requirements of the DPA.

Subsequently, we received numerous complaints/inquiries from some of the registrants regarding the breach, which were rolled into our investigation. We found that the sending of such bulk notices involves a manual process, which carries a high risk of error. To prevent reoccurrence, WORC proposed to liaise with the developer of the JobsCayman portal to add a procedure to send emails to recipients directly from the system, which eliminates the risk of such breaches. We agreed with this measure, and also provided WORC with additional recommendations regarding bulk emails. In addition, further staff training on the use of the specific email client and email etiquette should be undertaken in an effort to ensure that WORC continues to comply with the seventh data protection principle with respect to the use of e-mail generally. The case was closed with no further action.