The ICO has fined the Bloomsbury Patient Network after it inadvertently revealed the identities of HIV patients through an email error.

The Network, which offers support to patients, sent out a newsletter via email using a list of email addresses in the ‘to’ field rather than the ‘bcc’ field to 200 patients. On receiving the email the recipients on the list could see all the individual email addresses. Many of them contained people’s names which resulted in 56 patients’ full or partial names being revealed.

The incident was the second of this type at the Bloomsbury Patient Network in three months.

Head of Enforcement at the ICO, Stephen Eckersley said:

“Our investigation uncovered initial problems at the Bloomsbury Patient Network back in February that weren’t reported to us. They were going to provide training for staff and start using a system that sends separate emails to users. It seems the second incident occurred before they had time to put these measures in place so we had to act.”

The ICO has given the Network a £250 fine due to its status as an unincorporated association but because of the serious nature of the breach, most organisations would expect to receive a much larger fine.

Stephen Eckersley continued:

“The trustees of Bloomsbury Patient Network are individually liable to pay any monetary penalty which is why the fine is much smaller than usual. But it’s important to warn others that this type of sensitive data can cause huge amounts of distress for the people involved. We need to send a clear message - no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data.”

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  1. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
  1. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with your rights;
  • secure; and
  • not transferred to other countries without adequate protection.
  1. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
  1. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).