finance

Scottish HIV charity fined £10,000 after data breach



The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after failures by HIV Scotland led to a £10,000 fine.

The breach of data protection law involved an email to 105 people, which included patient advocates representing people living in Scotland with HIV.

All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.

An ICO investigation of the February 2020 incident found shortcomings in the charity’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy.

It also found that despite the charity’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months later.

Ken Macdonald, head of ICO regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.

“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

Under data protection law, organisations responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.

HIV Scotland’s new interim chief executive Alastair Hudson said the charity took full responsibility and apologised unreservedly to anyone who had been affected by the data breach.

He explained that a new team and board of trustees had taken “robust steps” to improve information security.

“For a small charity, financially, I cannot deny that this is a heavy blow, however we will find a way to pay the £10,000 fine to the ICO,” stated Hudson.

“As an organisation, HIV Scotland would like to re-iterate its commitment to providing a safe and supportive space where our stakeholders and networks can contribute to better health and wellbeing for those impacted by HIV and improving sexual health for all.”

Don’t miss the latest headlines with our twice-daily newsletter – sign up here for free.



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.  Learn more