The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after failures by HIV Scotland led to a £10,000 fine.

The breach of data protection law involved an email to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.

From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.

An ICO investigation of the February 2020 incident found shortcomings in the charity’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy.

It also found that despite the charity’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months later.

Ken Macdonald, Head of ICO Regions, said:

“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Under data protection law, organisations responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. This penalty was issued under the Data Protection Act 2018 for infringements of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.
  4. In reaching its decision to impose a penalty that was effective, proportionate and dissuasive, the ICO considered the charity’s size and its representations regarding its financial position.
  5. Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
  6. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.