18 November, 2021
The ICO has announced that it has fined HIV Scotland £10,000 for failing to implement an appropriate level of organisational and technical security to its internal email systems. The breach of data protection law involved an email sent to 105 recipients; the contents of such emails included patient advocates representing people living in Scotland with HIV. All email addresses were visible to all the recipients, and 65 of the addresses identified individuals by their name.
On the 3rd February 2020, HIV Scotland sent an email using Microsoft Outlook, the contents the email contained an agenda for an event which was to take place on 8th February 2020, to 105 individual members of HIV Scotland's Community Advisory Network. The agenda contained details of the meeting's key discussion points, along with details about the location of the meeting. Instead of using the BCC feature, the CC feature was used, which revealed the email addresses of all the intended recipients to all that received the email.
From the personal information which was revealed, an assumption could be made about the individual's status/risk of HIV. An investigation conducted in February 2020 by the ICO concluded that there were shortcomings in the charity's email procedure. These shortcomings included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy in place.
The ICO further found that despite the charity's own recognition of the risk in its email distribution, and the procurement of a system which allows emails to be sent more securely, the charity continued to use the less secure BCC method 7 months after.
Lack of Policies and Training
In addition, the ICO investigation found that all staff at HIV Scotland were required to complete a data protection training course on an annual basis. The ICO raised concerns that this training was not completed in a timely manner and should be completed before a member of staff has access to personal information. In its report, the ICO concluded that whilst there is no fixed requirement within data protection law as to the type of data protection training an employee should undertake, or when it should be provided, as part of an organisation's security measures to safeguard personal information, the ICO would expect an organisation to train employees handling personal information, and in particular information which is special category in nature or by inference before an individual is given access to such sensitive information. This highlights the importance of staff receiving data protection training at induction, before they are permitted access to personal information and subsequently on a regular basis.
How Does this Apply to Schools?
Whilst the nature of the charity HIV Scotland is very different to that of our school clients, it demonstrates the willingness of the ICO to impose fines on charitable organisations where there has been a serious breach of data protection law. Schools should ensure that their data protection policies cover the use of sending bulk emails and the use of the BCC function and that regular data protection training is provided to all staff.
A copy of the ICO's decision notice is available to view here - mpn-hiv-scotland-20211018.pdf (ico.org.uk)
Learn more about our Education department here