Skip links

HIV Scotland fined £10,000 for BCC email blunder identifying names of virus-carriers’ patient-advocates

The United Kingdom’s data watchdog is calling on organisations to review their “bulk email practices” after a BCC blunder by HIV Scotland incurred a £10,000 fine for breaking data protection regulations.

The case pertains to an email that was sent to 105 individuals on the Community Advisory Network (CAN) list, which is made up of patient-advocates “from across Scotland to represent the full diversity of people living with HIV”. In the offending chain, all of the email addresses were visible to all recipients and some 65 were people identified by name.

All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care

The Information Commissioner’s Office (ICO), which investigated the February 2020 email event, said that from the personal information exposed, assumptions could be made about the people’s HIV status or risk.

The charity had bought a MailChimp account in July 2019 and told the ICO [PDF] the system it had previously had in place for storing data had been poor, involving a “variety of different Excel spreadsheets that individual staff controlled.”

It said it had migrated a number of lists to “provide the necessary functionality for bulk messages to be sent in a more secure manner.” Unfortunately, HIV Scotland had not yet switched over the CAN list.

On 3 February last year, HIV Scotland hit send on an email – relating to an event about to take place – via Microsoft Outlook, relaying the missive to 105 folk on the CAN. Instead of opting for the Blind Carbon Copy feature, it used Carbon Copy.

After the subsequent investigation, the ICO said it found “shortcomings” in the charity’s email processes, ranging from “inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy.”

“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care,” said Ken McDonald, head of ICO Regions. “This avoidable error caused distress to the very people the charity seeks to help.”

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place,” he added.

HIV Scotland was penalised with a £10,000 fine under section 155 of the Data Protection Act 2018. It fully migrated all of its lists to MailChimp in late February 2020 and checked its SharePoint server to ensure no personal data was stored separately from the secure mailing lists. Staff have since undertaken online training.

“The Commissioner takes the view from her investigation that this breach occurred primarily as a result of serious deficiencies in HIV Scotland’s technical and organisational measures,” the ICO concluded.

The Register has asked HIV Scotland to comment.

This latest debacle follows another BCC blunder just last week by NHS Digital in which it copied the entirety of the invite list of messages about a “Let’s Talk Cyber” breakfast briefing. No, the irony wasn’t lost on us. ®