Outcomes - Selected Case Summaries



Credit Union sends invitation without using BCC

Informal Resolution | 28 June 2022

The Credit Union sent a Microsoft Teams meeting invitation to 211 individuals regarding an orientation session on the organization and the products it offers, disclosing all email addresses to all recipients, causing a personal data breach. In addition, one data subject replied to all and disclosed health-related information without realizing that the information could be seen by all the other recipients. The data subjects were notified of the personal data breach one day outside the statutory 5-day notification period, asking them to delete the invitation. The Credit Union initially proposed no longer sending such invitations via Teams but rather: (1) sending a link to the Teams meeting via a separate email using BCC and informing the recipients that the meeting will include other participants and that their details will be visible to the other participants, or (2) using a webinar feature on another third-party meeting platform which allows all participants to remain anonymous.

We noted the late notification, but the notifications were otherwise compliant.

The sender had not been aware that Teams invitations were not sent using BCC function by default, and we provided the data controller with additional guidance on how to send meeting invitations via Teams using the BCC feature. We found that the Credit Union was not responsible for the subsequent reply to all containing health data. We were satisfied that the Credit Union had taken appropriate action in response to the personal data breach and the case was closed with no further action.