HIV Scotland, a charity renowned for helping people living with and at risk of HIV in Scotland, has been fined £10,000 by the Information Commissioner’s Office (ICO) following a data breach in 2020.
The fine came after the charity sent out an email containing personal information to over 100 people. Because the email was sent via Microsoft Outlook without using the blind carbon copy (bcc) function, all the email addresses and some names were visible to the recipients. Because of what HIV Scotland does, the people who received the email could assume the HIV status or risk of the individuals who had their details disclosed.
Following the breach, the ICO – the UK’s data protection regulator – investigated the incident and found a series of shortcomings in the charity’s email procedures. These included:
- Inadequate staff training
- Incorrect methods of sending bulk emails by bcc
- Inadequate data protection policy.
HIV Scotland was aware of the risk but chose not to adequately address it. The ICO’s investigation discovered that the charity had procured a more secure system for bulk messages several months earlier after identifying the risk but continued to use the unsecure method. In response, the regulator found that there was a “serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring”.
Ironically, HIV Scotland had shown it was aware of data protection risks when it commented critically on a similar issue involving a Health Board. As such, the ICO took the view that the charity should have implemented adequate processes to prevent such an incident within its organisation.
Commenting on HIV Scotland’s failings, interim chief executive Alastair Hudson apologised unreservedly to anyone affected by the data breach and stated that the charity took full responsibility for the data protection breach.
Following the fine, the ICO is urging all organisations to revisit their bulk email practices. Ken Macdonald, Head of ICO Regions, said:
“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.
“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
Commenting on the data privacy failure, Kingsley Hayes, head of data breach, said:
“Charities hold a lot of sensitive data, often on the vulnerable people they support and protect. This information must not fall into the wrong hands or be misused in any way. However, all too often, charities either aren’t aware of their obligations, or as in this case, haven’t done enough to ensure that they meet them.
“Unfortunately, not using the bcc functionality when sending an email to multiple recipients is a common data privacy mistake and one that charities and other organisations should easily be able to prevent with the proper training and processes.”
“This is a serious data protection failure by HIV Scotland. The fine reflects the harm that can be caused to those put at risk by poor organisational email processes.