Skip to the content

ICO fines London trust over HIV data blunder



Sexual health clinic under Chelsea and Westminster Hospital allowed email recipients to see each other's addresses

Chelsea and Westminster Hospital NHS Foundation Trust has been hit by a £180,000 fine by the Information Commissioner's Office (ICO) after revealing the email addresses of more than 700 users of an HIV service.

The blunder was made by a Soho-base sexual health clinic, 56 Dean Street, under its control – following a similar error in 2010.

The clinic offered a service to patients with HIV to receive test results and make appointments by email. Those using the service also received an occasional newsletter, and a small number of people who received the newsletter did not have HIV.

An error in which addresses had been wrongly entered into the ‘to’ field instead of the ‘bcc’ field meant that anyone receiving the September newsletter could see them for all the other recipients. 730 of the 781 email addresses contained people’s full name.

Triggered distress

The ICO found it had been a serious breach of the Data Protection Act, which was likely to have caused substantial distress.

Information Commissioner Christopher Graham (pictured) said: “People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.

“It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too.

“That our investigation found this wasn’t the first mistake of this type by the trust only adds to what was a serious breach of the law.”

An ICO investigation found the trust had made a similar error in March 2010, when a member of staff in the pharmacy department sent a questionnaire to 17 patients in relation to their HIV treatment, entering emails in the ‘to’ field instead of the ‘bcc’ field.

While some remedial measures were put in place following this mistake, there was no specific training implemented.


Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.