The Information Commissioner’s Office (ICO) has fined the Central Young Men’s Christian Association (Central YMCA) £7,500 for revealing sensitive data about hundreds of people living with HIV.
Today, the ICO imposed a monetary penalty notice on Central YMCA after the London-based charity emailed people participating in a programme for individuals living with HIV, using carbon copy (CC) instead of blind carbon copy (BCC).
The email, sent in October 2022 to 270 people, revealed the email addresses to all recipients, of which 166 individuals could be identified or potentially identified.
The email
In a report, the ICO said the email was sent by a coordinator for the Positive Health Programme, an exercise scheme for people living with HIV.
Under the programme, Central YMCA collects special category data including the aims of referral to the programme, date of HIV diagnosis, medication taken, individual’s medical statistics, other medical history and their referring clinician/hospital.
The coordinator sent the email to a mailing list of 270 recipients, inviting them to a talk about nutrition, but used the CC function instead of the BCC one.
“The emails weren’t delivered to nine of those email addresses [and there were duplicates], so the emails were delivered to 255 recipients, disclosing 264 email addresses,” the ICO wrote in its report.
“Central YMCA then assessed that 115 of those had clear names in them, and a further 51 contained at least part of a name, making them potentially identifiable. Therefore 166 data subjects were affected by the breach, all of whom are in the programme.
“Recipients of the email can therefore infer from its contents that the 166 individuals whose email addresses were disclosed in the breach were likely to be living with HIV, meaning that the disclosed personal data included health data, which in turn is special category data under Article 9(1) of the UK GDPR.”
£7,500 fine and reprimand
The ICO originally considered a penalty of £300,000 appropriate, “reflecting the seriousness of the breach” and need for the penalty to be effective, proportionate and dissuasive.
However, it later reduced the value of the fine to £7,500 in line with its public sector approach and also issued a formal reprimand to Central YMCA.
“This approach, which the ICO is currently trialling, is where fines for public sector bodies are reduced where appropriate alongside wider use of other enforcement powers, such as reprimands.
“This is designed to reduce how much public money is used to pay fines for organisations’ errors, which often end up impacting those who need these public services.”
The ICO previously reprimanded and fined HIV Scotland for failing to implement an appropriate level of organisational and technical security to its internal email systems between May 2018 and February 2020.
Central YMCA: ‘We’re committed to continuously improving our internal processes’
Ryan Palmer, chief executive officer of Central YMCA, confirmed the data breach, adding that the charity reported this to the ICO and notified all users impacted.
“The use of BCC for group emails wasn’t in line with Central YMCA’s internal procedures, for which normal process is to use a bulk mail platform as recommended by the ICO. We have since strengthened awareness of our internal procedures and the tools available within the charity,” he said.
“We have also strengthened our approach to ensuring all staff and volunteers complete our mandatory data protection training to safeguard personal data processed by the charity. We have worked closely with the ICO throughout their investigation.
“Our members impacted by the breach have been supportive of the charity and recognised the human error that led to this situation.
“We’re absolutely committed to safeguarding the information we collect to deliver our services and recognise the consequences personal data breaches can have on those affected. We’re committed to continuously improving our internal processes and ensuring all staff and volunteers are aware of their responsibilities.”
ICO calls for better staff training
Information commissioner John Edwards said: “People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK. We’ve seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid.
“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it’s being protected.
“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected.
“We’re making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
Related articles
