Context
The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk e-mail practices after failures by HIV Scotland led to a £10,000 fine.
Key points to note
- The breach of data protection law involved an e-mail to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.
- From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.
- An ICO investigation of the February 2020 incident found shortcomings in the charity’s e-mail procedures. These included inadequate staff training, incorrect methods of sending bulk e-mails by blind carbon copy (bcc) and an inadequate data protection policy.
- It also found that despite the charity’s own recognition of the risks in its e-mail distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months later.
Next actions
Whilst we have included this item for information and awareness, we would advise firms to review their e-mail distribution methods and ensure there are no issues arising.