HIV Scotland fined £10,000 after email error reveals identities of individuals

It is one of the most common ways organisations breach personal data. A newsletter or other email to multiple recipients is sent with the email addresses of all the other recipients visible. A quick Internet search can allow specific individuals to be identified from the list, or in some cases the person’s name forms part of the email address.

While this is very much a breach of the GDPR (General Data Protection Regulation), most of the time the harm and distress caused to the victims is fairly minor. However, if the email content allows for sensitive information about an individual to be inferred then the impact can quickly become a lot more serious.

This is what happened to HIV Scotland in February 2020, when an email was sent out that revealed the identity of 65 individuals. These individuals were part of the organisation’s CAN (community advisory network).

Their email addresses were Cc’d rather than Bcc’d. HIV Scotland had been transitioning from using Outlook to Mailchimp, which would have reduced the likelihood of such an incident occurring, but Mailchimp was not used for the CAN mailing list.

While the breach was identified immediately and HIV Scotland attempted to recall the message, there was no means of identifying how successful the recall was. In its initial breach report to the ICO (Information Commissioner’s Office), HIV Scotland accepted that “[a]ssumption could be made about individuals HIV status or risk”.

Following an investigation, the ICO fined HIV Scotland £10,000 for violating the GDPR.

A familiar story

If you think you’ve heard this story before, that’s because this isn’t the first time it has occurred. In 2014, the Bloomsbury Patient Network sent out an email without obscuring the addresses of 200 HIV-positive patients.

A year later, HIV clinic 56 Dean Street failed to obscure the email addresses of 781 individuals receiving a newsletter “intended for people using the clinic’s sexual health services”. And in 2019, the same error saw NHS Highland breach the email addresses of 37 HIV-positive patients.

HIV Scotland immediately tried to manage the incident. It sent apologies to the individuals involved and posted a notice on the home page of its website.

It also offered to support those impacted by the incident and promptly dealt with the one complaint that arose. Importantly, the organisation conducted a full audit of data management procedures to identify any other aspects of compliance that may have been overlooked.

However, given the severity of the incident, the ICO still deemed it necessary to issue a fine.

Often organisations only conduct a gap analysis following a personal data breach. While this can help manage compliance going forward, it cannot undo the financial and reputational damage caused by a major incident.

Undertaking a gap analysis enables organisations to identify risky processes and take action to address them. Should an incident occur, the organisation can demonstrate that it had a good understanding of its personal data processing and had measures in place to manage risk wherever possible.

Our GDPR Gap Analysis service is an effective way of reviewing not only the processing activities themselves but also the policy and governance structures underpinning them. Each analysis results in a bespoke report with a prioritised list of actions that the organisation needs to take to improve compliance and demonstrate continuing improvement.

Don’t wait until a breach occurs before reviewing compliance. A GDPR gap analysis can help you stay one step ahead.