Two public sector organisations in Northern Ireland have been reprimanded by the Information Commissioner’s Office (ICO) for disclosing people’s information inappropriately via email.
The ICO said the Patient and Client Council (PCC) and the Executive Office disclosed recipient details by using inappropriate group email options and should have found an appropriate alternative such as mail merge.
The PCC had sent an email to 15 people across Northern Ireland, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option.
Although the body of the email did not contain personal information, the people who received it could reasonably infer that the other recipients also had experience of gender dysphoria. This could have been information the recipients would not wish to be shared with people unknown to them.
The Executive Office’s Interim Advocate’s Office, established following the report of the Historical Institutional Abuse (HIA) Inquiry, sent an e-newsletter to 251 subscribers using the ‘to’ field.
Although only email addresses were disclosed, it can be inferred that the people included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to ot already engaging with the HIA Inquiry compensation scheme.
Inappropriate and insufficient
The ICO’s investigation found that the email options chosen in both cases were not appropriate and that both organisations had insufficient guidance for staff about sending communications by bulk email.
It has recommended that PCC and the Executive Office should review and update their policies and procedures and provide appropriate guidance to staff in relation to email use. Both organisations will need to provide details of actions taken within three months of the reprimand being issued.
“This type of data breach is all too common but is easily avoidable,” UK Information Commissioner John Edwards said. “Organisations must take responsibility for training their staff properly and for putting appropriate systems and policies in place to avoid such incidents.
“Even if the content of an email is not sensitive or confidential, identifying people who have received it could reveal sensitive or confidential information about them. That could be very distressing and potentially harmful to the people affected.”
