News

HIV Scotland fined £10,000 for data breach

HIV Scotland, a charity renowned for helping people living with and at risk of HIV in Scotland, has been fined £10,000 by the Information Commissioner’s Office (ICO) following a data breach in 2020.

The fine came after the charity sent out an email containing personal information to over 100 people. Because the email was sent via Microsoft Outlook without using the blind carbon copy (bcc) function, all the email addresses and some names were visible to the recipients. Because of what HIV Scotland does, the people who received the email could assume the HIV status or risk of the individuals who had their details disclosed.

Following the breach, the ICO – the UK’s data protection regulator – investigated the incident and found a series of shortcomings in the charity’s email procedures. These included:

  • Inadequate staff training
  • Incorrect methods of sending bulk emails by bcc
  • Inadequate data protection policy.

HIV Scotland was aware of the risk but chose not to adequately address it. The ICO’s investigation discovered that the charity had procured a more secure system for bulk messages several months earlier after identifying the risk but continued to use the unsecure method. In response, the regulator found that there was a “serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring”.

Ironically, HIV Scotland had shown it was aware of data protection risks when it commented critically on a similar issue involving a Health Board. As such, the ICO took the view that the charity should have implemented adequate processes to prevent such an incident within its organisation.

Commenting on HIV Scotland’s failings, interim chief executive Alastair Hudson apologised unreservedly to anyone affected by the data breach and stated that the charity took full responsibility for the data protection breach.

Following the fine, the ICO is urging all organisations to revisit their bulk email practices. Ken Macdonald, Head of ICO Regions, said:

“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Commenting on the data privacy failure, Kingsley Hayes, head of data breach, said:

“Charities hold a lot of sensitive data, often on the vulnerable people they support and protect. This information must not fall into the wrong hands or be misused in any way. However, all too often, charities either aren’t aware of their obligations, or as in this case, haven’t done enough to ensure that they meet them.

“Unfortunately, not using the bcc functionality when sending an email to multiple recipients is a common data privacy mistake and one that charities and other organisations should easily be able to prevent with the proper training and processes.”

“This is a serious data protection failure by HIV Scotland. The fine reflects the harm that can be caused to those put at risk by poor organisational email processes.

Making a charity data breach claim

Many people donate to charities and causes that are close to their hearts. But, while you might support a charitable organisation, it must meet its data protection obligations – especially where sensitive data is involved. Holding charities to account for data protection failures is often the only way to improve standards and ensure the continuation of the good work you support.

Contact Keller Postman UK to discuss a data breach claim.

Keller Postman

Share
Published by
Keller Postman
3 years ago

Recent Posts

Latest Data Breach Round-Up – June 2024

In our regular update, we provide a roundup of some of the data breaches and… Read More

5 months ago

Join our MOVEit/ Zellis Data Breach Action

We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More

5 months ago

One year on – the extent of the MOVEit data hack is just becoming clear

The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More

5 months ago

Join our 23andMe Data Breach Action

We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More

5 months ago

ICO and Canadian counterpart to investigate 23andMe data breach

The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More

5 months ago

Join Our Capita Data Breach Action

We have launched a group action against Capita. Group actions can be a powerful tool… Read More

5 months ago