HIV Scotland fined £10,000 for sending bulk email which identified recipients

All organisations are being urged to revisit their bulk email policies after a data protection breach led to the charity HIV Scotland being fined £10,000.

The Information Commissioner’s Office fined the charity after it sent a bulk email to 105 people in February 2020.

The email contained the agenda for an event of HIV Scotland’s Community Advisory Network, which brings together patient advocates from across the country.

However, the email used the carbon copy (CC) rather than the blind carbon copy (BCC) feature, meaning everyone who received the email could see the other recipients.

The email addresses could identify 65 people by name, and the ICO said an assumption could be made about their HIV status or risk based on this.

HIV Scotland contacted the ICO and submitted a data breach report on the same day as the incident.

The charity’s chief executive apologised to all those involved in the breach, with the mistake being put down to “human error”.

An ICO investigation found shortcomings in the charity’s email procedures and inadequate staff training.

It found that the charity had procured the Mailchimp system to send secure emails in July 2019, but had not fully implemented it at the time of the data breach.

The ICO’s ruling said this “represents a serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring”.

Ken Macdonald, head of ICO Regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care.

“This avoidable error caused distress to the very people the charity seeks to help.

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Alasdair Hudson was appointed interim chief executive of HIV Scotland after his predecessor stepped down at the end of 2020.

Mr Hudson said: “HIV Scotland takes full responsibility and unreservedly apologises to those who may have been impacted by the data breach and we continue to offer our full support in any way we can.

“Since installing our new team and board of trustees, we have taken robust steps to improve information security and we are confident that such an incident could not be repeated.

“For a small charity, financially, I cannot deny that this is a heavy blow.

“However, we will find a way to pay the £10,000 fine to the ICO.

“As an organisation, HIV Scotland would like to reiterate its commitment to providing a safe and supportive space where our stakeholders and networks can contribute to better health and wellbeing for those impacted by HIV and improving sexual health for all.”

Copyright (c) PA Media Ltd. 2021, All Rights Reserved. Picture (c) Yui Mok / PA.