Bulk email data breach results in a fine from the ICO, as a data controller possibly revealed identities and assumable health status of recipients.
A recent data breach by a Scottish charity – HIV Scotland, has resulted in a fine from the ICO. A bulk email was sent out to 105 recipients which included patient advocates for people living in Scotland with HIV. Of those 105 email addresses, 65 of them identified people by name. The breach was the result of a staff member incorrectly using the blind carbon copy feature, and instead sending the bulk email in a way that allowed all recipients emails to be shown. From the data disclosed, assumptions could be made about a person’s HIV status.
Health data is considered particularly sensitive, and as a result, this error was taken very seriously by the ICO. Ken MacDonald, head of ICO regions was quoted as saying “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.” He went on to add “I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
It was found that the charity was still using a less secure method of sending bulk emails, seven months after acquiring a system which allows bulk emails to be sent more securely.
Due to the charity’s own acknowledgment of the risks associated with bulk messages being sent using the blind carbon copy or BCC feature in most email applications, the organisation procured a more secure system of sending emails. However, seven months later, the organisation continued to use the less secure, BCC feature. This, compounded by inadequate staff training, as well as an inadequate data protection policy led to this data breach, and by extension, several infringement of the UK GDPR and the corresponding fine.
The organisation was fined £10,000 under the Data Protection Act 2018 for infringements of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.
The ICO has issued a fine to the data controller, HIV Scotland for £10,000. In deciding on the amount of the fine, the ICO considered the charity’s size and its representations regarding its financial position. The February 2020 data breach is considered an infringement of the UK GDPR Articles 5(1)(f) and 32(1) and (2). Article 5(1)(f) requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” Article 32 of the UK GDPR addresses the importance of secure processing.
The ICO is urging organisations and businesses to be mindful of their email practices in light of this situation.
In light of this situation, the ICO recently released a statement urging businesses and organisations to evaluate or reevaluate their practices with regard to sending correspondence to large groups of clients or other individuals. Data protection law requires that organisations responsible for personal data ensure they have the appropriate technical and organisational measures in place to ensure the security of personal data.