ICO fines charity fined £10,000 for data breach

Together we are Forbes


18 November, 2021

Bethany Paliga
Senior Associate

The ICO has announced that it has fined HIV Scotland £10,000 for failing to implement an appropriate level of organisational and technical security to its internal email systems. The breach of data protection law involved an email sent to 105 recipients; the contents of such emails included patient advocates representing people living in Scotland with HIV. All email addresses were visible to all the recipients, and 65 of the addresses identified individuals by their name.

On the 3rd February 2020, HIV Scotland sent an email using Microsoft Outlook, the contents the email contained an agenda for an event which was to take place on 8th February 2020, to 105 individual members of HIV Scotland's Community Advisory Network. The agenda contained details of the meeting's key discussion points, along with details about the location of the meeting. Instead of using the BCC feature, the CC feature was used, which revealed the email addresses of all the intended recipients to all that received the email.

From the personal information which was revealed, an assumption could be made about the individual's status/risk of HIV. An investigation conducted in February 2020 by the ICO concluded that there were shortcomings in the charity's email procedure. These shortcomings included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy in place.

The ICO further found that despite the charity's own recognition of the risk in its email distribution, and the procurement of a system which allows emails to be sent more securely, the charity continued to use the less secure BCC method 7 months after.

Lack of Policies and Training

The ICO investigation found several shortcomings in the charity's data protection practices. The ICO found that HIV Scotland did not have a specific data protection policy on the secure handling of personal information within the organisation. HIV Scotland gave staff a copy of its privacy policy, which is a public facing statement covering points such as what information is collected, how it is used and details of data protection rights. This is not an appropriate data protection policy which focuses on staff handling personal information.

This highlights the importance of understanding the difference between your data protection policy and your privacy policy (sometimes also called a 'privacy notice'). A data protection policy is an overarching policy document which provides guidance to staff on how to comply with data protection law. On the other hand, a privacy policy is a statement of rights which sets out what personal information an organisation collects, how it is used and details of individuals' rights under data protection law. Both documents are required under data protection law and, whilst similarly named, they fulfil different functions.

In addition, the ICO investigation found that all staff at HIV Scotland were required to complete a data protection training course on an annual basis. The ICO raised concerns that this training was not completed in a timely manner and should be completed before a member of staff has access to personal information. In its report, the ICO concluded that whilst there is no fixed requirement within data protection law as to the type of data protection training an employee should undertake, or when it should be provided, as part of an organisation's security measures to safeguard personal information, the ICO would expect an organisation to train employees handling personal information, and in particular information which is special category in nature or by inference before an individual is given access to such sensitive information. This highlights the importance of staff receiving data protection training at induction, before they are permitted access to personal information and subsequently on a regular basis.

How Does this Apply to Schools?

Whilst the nature of the charity HIV Scotland is very different to that of our school clients, it demonstrates the willingness of the ICO to impose fines on charitable organisations where there has been a serious breach of data protection law. Schools should ensure that their data protection policies cover the use of sending bulk emails and the use of the BCC function and that regular data protection training is provided to all staff.

A copy of the ICO's decision notice is available to view here - mpn-hiv-scotland-20211018.pdf (ico.org.uk)

For more information contact Bethany Paliga in our Education department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Education department here

'Failure to Remove' Claims in the High Court: The Appeals in HXA…

The wait is nearly over: Supreme Court set to clarify position on…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: