Aerial view of Glasgow, Scotland, UK.

HIV Scotland fined £10,000 after email blunder discloses identities of 65 recipients

The Information Commissioner’s Office (ICO) has hit charity HIV Scotland with a £10,000 fine following an email data breach that led to the identities of 65 individuals being disclosed to over 100 people.

In February 2020, HIV Scotland sent a bulk email containing an event agenda to 105 people. Unfortunately, the email was sent to the mailing list using the carbon copy (CC) rather than the blind carbon copy (BCC) feature. Consequently, every recipient of the email could see who else had gotten it.

Due to the nature of the email addresses and the database used, 65 of the 105 recipients could be identified by name. In issuing the fine, the ICO said the nature of the breach and the event that the email related to – one linked to HIV Scotland’s Community Advisory Network – meant that assumptions could be made about recipients’ HIV status or risk.

HIV Scotland had contacted the ICO and submitted a data breach incident report on the same day the breach occurred.

Inadequate training to blame

An ICO investigation of the incident blamed both shortcomings in HIV Scotland’s email procedures and inadequacies in staff training. While the charity had been using email software since July 2019, it had not fully implemented its use by the time of the breach in February 2020. Had HIV Scotland used software to send the email to the mailing list in question, all recipients’ would have remained anonymous to each other.

In its ruling of the incident, the ICO wrote that HIV Scotland’s failure to implement the email platform it was using, “represents a serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring.”

ICO encourages all organisations to revisit email procedures

Ken Macdonald, head of ICO Regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help. I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Alasdair Hudson, interim chief executive of HIV Scotland, and who was not in charge at the time of the data breach incident in question, said: “HIV Scotland takes full responsibility and unreservedly apologises to those who may have been impacted by the data breach and we continue to offer our full support in any way we can.

“Since installing our new team and board of trustees, we have taken robust steps to improve information security and we are confident that such an incident could not be repeated.

“For a small charity, financially, I cannot deny that this is a heavy blow. However, we will find a way to pay the £10,000 fine to the ICO.

“As an organisation, HIV Scotland would like to reiterate its commitment to providing a safe and supportive space where our stakeholders and networks can contribute to better health and wellbeing for those impacted by HIV and improving sexual health for all.”

Impacted by HIV Scotland data breach? You could be entitled to compensation

Were you impacted by HIV Scotland disclosing your identity to over 100 people?

If so, you may be entitled to compensation.

Contact LawPlus today for a free, no-obligation assessment and learn whether you have grounds for a data breach claim.