The Information Commissioner’s Office (ICO) has fined the charity HIV Scotland £10,000 for a breach of data protection law through an emailing.
It sent an email in February 2020 to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.
The ICO said that from the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.
Its investigation found shortcomings in HIV Scotland’s email procedures, including inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy.
It also found that despite the charity’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months later.
Ken Macdonald, head of ICO Regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.
“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
Image by author