I have just had a work related e-mail from an HR manager in which mine and every other recipient’s private email addresses are visible. Am I correct that this is not just poor practice but a possible data protection breach.

I am not hugely bothered but was going to send her a reply requesting this be done with non visible emails. This is a NHS email account it has come from not a small company so I would have thoiught they would do better.

Anyway for my info just bad practice or data breach.

This is a NHS email account it has come from not a small company

Are all the recipients, including yourself, NHS employees? Or is this an email from HR to people outside the organisation – such as prospective employees?

If it’s an office email to direct employees no harm, no foul. If there are contractors on the list more of a commercial confidentiality problem.

So are you normally allowed to know the private email addresses of all your colleagues?

What if one colleague used this info to harass another one?

Yes, not using bcc is sadly very common (I think email clients should make it the default offering frankly) but they screwed up.

All recipients are other employees which is why I’m not hugely bothered. I’ve not fallen out with anyone on the list but I still don’t think they should be sharing it.

If it’s people’s private email addresses and sent by an employer I think it’s a breach of GDPR, irrespective of whether the recipients are employees.

Holding private email addresses in the first place is probably in breach of GDPR.

This says… maybe (towards the bottom): https://www.towerwatchtech.com/5-ways-your-emails-could-breach-gdpr/

If it’s an office email to direct employees no harm, no foul.

If internal email addresses OK, but not home email addresses.

Wife did something similar by accident, she normally uses bcc, from a school to external exam candidates, had to email them all an apology and it got logged as a GDPR breach.

Its not automatically “OK” even if they were all @nhs.uk addresses – depending on the nature of the email – especially given its “HR”. e.g. if the email was about sickness/absence/mental health/grievance process etc – even if it doesn’t explicitly say why you were included if others could infer that this was only going to people who had say been off sick for a certain period.