The Information Commissioner’s Office (ICO) has fined HIV Scotland £10,000 after the charity sent a bulk email that identified recipients to each other.
HIV Scotland sent an email to 105 people in February 2020 where the email addresses were visible to all recipients because the sender had sent the email using the carbon copy (CC) function instead of blind carbon copy (bcc) function.
In 65 cases, the email address identified people by name and could have led to assumptions about people’s HIV status or risk.
The ICO’s investigation found that there was inadequate staff training, incorrect methods of sending bulk emails by bcc, and an inadequate data protection policy.
Furthermore, the charity had recognised the risks and bought a new system (Mailchimp) to send bulk messages, but had not implemented this fully, leading to the continued use bcc as a method for sending bulk emails.
Ken Macdonald, head of ICO regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.
“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
'We have taken robust steps to improve'
The ICO report says that the charity immediately apologised and asked recipients to delete the email. The charity also posted a statement on its website.
HIV Scotland has now reduced the risk of a repeat of the incident by fully implementing Mailchimp as its method of sending bulk emails.
The charity told the ICO that it had received one formal complaint about the incident, and the ICO says this is evidence of “distress being experienced by the complainant as a result of the breach”.
The ICO notes that HIV Scotland notified the regulator about the incident and co-operated with the investigation. The charity must pay the £10,000 fine by 16 November.
Since the incident took place HIV Scotland has appointed a new interim chief executive and trustee board.
Alastair Hudson, interim chief executive at HIV Scotland said: “HIV Scotland takes full responsibility and unreservedly apologises to those who may have been impacted by the data breach and we continue to offer our full support in any way we can.
“Since installing our new team and board of trustees, we have taken robust steps to improve information security and we are confident that such an incident could not be repeated. For a small charity, financially, I cannot deny that this is a heavy blow. However, we will find a way to pay the £10,000 fine to the ICO.
“As an organisation, HIV Scotland would like to reiterate its commitment to providing a safe and supportive space where our stakeholders and networks can contribute to better health and wellbeing for those impacted by HIV and improving sexual health for all.”