ICO (UK) - HIV Scotland
From GDPRhub
| ICO (UK) - HIV Scotland | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 18.10.2021 |
| Published: | 22.10.2021 |
| Fine: | 10000 GBP |
| Parties: | HIV Scotland |
| National Case Number/Name: | HIV Scotland |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Information Commissioner's Office (in EN) |
| Initial Contributor: | MH |
The UK DPA (ICO) imposed a fine of around €12000 on HIV Scotland for failing to implement appropriate organisational and technical measures. The charity disclosed special category data by sending a group email in CC rather than BCC.
English Summary
Facts
HIV Scotland is a charity that helps people living with HIV, those at risk of HIV and individuals that support people with HIV. HIV Scotland got a MailChimp account for the purpose of online mailing and migrated contact details to the bulk mailing platform. A list of contact details of the Community Advisory Network (CAN) was not migrated.
On 3 Feburary 2020, an email was sent using Microsoft Outlook to 105 members of CAN in CC rather than BCC. This meant that email addresses of 65 recipients were apparent, identifying the individual by name.
HIV Scotland noticed the error instantly and submitted a breach report, highlighting that individuals' HIV statuses could be deduced from this breach. HIV Scotland contacted the individuals to apologise and offered support if distress was caused.
HIV Scotland has since implemented MailChimp for all its mailing operations to reduce the risk of a repeat incident.
Holding
The Information Commissioner's Office (ICO) conclude that HIV Scotland failed to set up an appropriate organisational and technical measures. The following steps taken by HIV Scotland prior to the breach were insufficient according to the ICO:
- Employees asked to read and refer to HIV Scotland's privacy policy
- Training on GDPR awareness in the first three months of employment
- Awareness of the BCC requirement for group emails
- Attempt to migrate contact details to MailChimp for better security.
The ICO found following deficiencies in the technical and organisational measures at HIV Scotland.
- HIV Scotland did not have a specific internal Policy for handling personal data securely. Reliance on the external Privacy Policy was not an appropriate data protection policy for staff handling personal data.
- The staff did not have guidance on how to handle personal data securely. According to the ICO, employees should have had GDPR training prior to handling personal data and within one month of their start data. This is especially required when staff handle special category data.
- It was revealed during the investigation that the charity was aware of the poor data storage for 10 months prior to the breach. The move to MailChimp was an attempt to rectify this, however this was not adequately implemented between July 2019 and the day of the breach, 3 February 2020. According to the ICO, a correct and full implementation MailChimp would have prevented the disclosure of personal data.
The ICO clarified that although only email addresses were apparent, the special category data of 65 identified individuals could be inferred to a reasonable degree (HIV status).
The ICO deemed that HIV Scotland was fully aware of the risk of its practices, having criticised another controller for having suffered a similar error 6 months before HIV Scotland's own personal data breach.
The ICO concluded that HIV Scotland infringed Article 5(1)(f) of the GDPR by sending bulk emails rather than separate emails to each intended recipient. Additionally, it found that in addition to failing to fully migrate to MailChimp, HIV Scotland failed to use BCC in Microsoft Outlook.
The ICO also concluded that HIV Scotland infringed Articles 32(1) and (2) of the GDPR by failing to have a level of security appropriate to the risk of processing. The ICO particularly highlighted the awareness within HIV Scotland that their practices prior to the breach were deficient.
When assessing the level of the fine, the ICO considered certain factors, such as:
- the fact that the breach of personal data would at least cause an element of distress for the individuals;
- the fact that the breach was negligent due to HIV Scotland's awareness that Outlook was not secure for sensitive communications and that HIV Scotland had criticised another controller for a similar error;
- the fact that HIV Scotland should have been aware of previous fines by the ICO regarding similar breaches and in any case were aware of the deficiencies of their own technical and organisational measures;
- the fact that special category data (HIV status) could be reasonably inferred as a result of the breach;
- the fact that HIV Scotland took steps to mitigate the damage suffered by individuals;
- the fact that HIV Scotland didn't have prior data protection infringements;
- the fact that HIV Scotland cooperated with the ICO; and
- the fact that HIV Scotland reported the breach to the ICO within 2 hours of the incident.
The ICO then went to impose a fine of approximately €12000 on HIV Scotland.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
Information Commissioner's Office
DATA PROTECTION ACT 2018 (PART 6, SECTION 155)
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
TO: HIV Scotland
OF: 18 York Place, HIV Scotland, Edinburgh EHl 3EP
1. HIV Scotland is charity registered in Scotland (number SC033951) and
a company limited by guarantee (number SC242242).
2. The InformatioCommissioner ("the Commissioner"has decided to
issue HIV Scotland with a Penalty Notice under section 155 of the Data
Protection Act 2018 ("the DPA"). This penalty notice imposes an
administrativfine on HIV Scotland, in accordance with the
Commissioner's powers under Article 83 of the General Data Protection
Regulation 2016 ("the GDPR"). The amount of the monetary penalty is
£10,000.
3. This penalty has been issued because of contravenby HIV
Scotland of Articles 5(land 32(1) and (2) of the GDPR in that,
during the period of 25 May 2018 to 24 February 2020, HIV Scotland
failed to implement an appropriate level of organisand technical
security to its internal email systems. This failure resulted in an email
being sent on 3 February 2020 without the appropriate security to 105
recipients, disclosing the personal data of 65 of the recipients. In
particular, the email contained personal data and disclosed information
from which special category data could be reasonably inferred.
1 •
ICO.
Information Commissioner's Office
4. In the interests of clarity, 25 May 2018 is the date when GDPR came
into effect, and 25 February 2020 is the date on which HIV Scotland
took its final steps to implement MailChimp as its sole email client for
any mail-out across the organisation, thereby mitigating the risk which
led to the initial data breach.
5. This Monetary Penalty Notice explains the Commissioner's decision,
includingthe Commissioner's reasons for issuing the penalty and for
the amount of the penalty.
Legal framework for this Notice of Intent
Obligations of the controller
6. HIV Scotland is a controller for the purposes of the GDPR and the DPA,
because it determines the purposes and means of processing of personal
data (GDPR Article 4(7)).
7. 'Personal data' is defined by Article 4(1) of the GDPR to mean:
information relating to an identified or identifiable natural
person ('data subject'); an identifiable natural person is
one who can be identified,irectly or indirectly, in
particular by reference to an identifier such as a name, an
identificationumber, location data, an online identifier or
to one or more factors specific to the physical,
physiological, genetic,ntal, economic, cultural or social
identity of that natural person.
8. 'Processing' is defined by Article 4(2) of the GDPR to mean:
any operation or set of operations which is performed on
personal dataor on sets of personal data, whether or not
by automated means, such as collection, recording,
2 •
ICO.
Information Commissioner's Office
organisation, structuring,storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction
9. Article 9DPR prohibits the processing of 'special categories of personal
data' unless certain conditions are met. The special categories of
personal data subject to Article 9 include 'data concerning health or data
concerning a natural person's sex life or sexual orientation'.
10. Controllers are subjecto various obligations in relation to the processing
of personal data, as set out in the GDPR and the DPA. They are obliged
by Article 5(2) to adhere to the data processing principles set out in
Article 5(1) of the GDPR.
11. In particular, controllers are required to implement appropriate technical
and organisational measures to ensure that their processing of personal
data is secure, and to enable them to demonstrate that their processing
is secure. Article 5(1)(f("Integrity and Confidentiality") stipulates
that:
Personal data shall be [...] processed in a manner that
ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using
appropriate technical or organisational measures
12. Article 32 ("Security of processing") provides, in material part:
1. Taking into account the state of the art, the costs of
implementation and the nature, scope, context and
purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of
natural persons, the controller and the processor shall
implement appropriate technical and organisational
3 •
ICO.
Information Commissioner's Office
measures to ensure a level of security appropriate to the
risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal
data;
(b) the ability to ensure the ongoing confidentiality,
integrity, availability and resilience of processing
systems and services;
(c) the ability to restore the availability and access to
personal data in a timely manner in the event of a
physical or technical incident;
(d) a process for regularly testing, assessing and
evaluating the effectiveness of technical and
organisational measures for ensuring the security of
the processing.
2. In assessing the appropriate level of security account
shall be taken in particular of the risks that are presented
by processing, in particular from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or
access to personal data transmitted,stored or otherwise
processed.
The Commissioner's powers of enforcement
13. The Commissioner is the supervisory authorityfor the UK under the
GDPR.
14. By Article 57(1) of the GDPR, it is the Commissioner'task to monitor
and enforce the application of the GDPR.
15. By Article 58(2)(d)of the GDPR the Commissioner has the power to
notify controllers of alleged infringemenof GDPR. By Article 58(2)(i)
she has the power to impose an administrative fine, in accordance with
Article 83, in addition to or instead of the other correctimeasures
referred to in Article 58(2)depending on the circumstances of each
individual case.
4 •
ICO.
Information Commissioner's Office
16. By Article 83(1), the Commissioner is required to ensure that
administrative fines issued in accordance with Article 83 are effective,
proportionate,and dissuasive in each individual case. Article 83(2) goes
on to provide that:
When deciding whether to impose an administrative fine
and deciding on the amount of the administrative fine in
each individual case due regard shall be given to the
following:
(a) the nature, gravity and duration of the
infringement taking into account the nature scope or
purpose of the processing concerned as well as the
number of data subjects affected and the level of
damage suffered by them;
(b) the intentional or negligent character of the
infringement;
(c) any action taken by the controller or processor to
mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or
processor taking into account technical and
organisational measures implemented by them
pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the
controller or processor;
(f) the degree of cooperation with the supervisory
authority, in order to remedy the infringement and
mitigate the possible adverse effects of the
infringement;
(g) the categories of personal data affected by the
infringement;
(h) the manner in which the infringement became
known to the supervisory authority, in particular
whether, and if so to what extent, the controller or
processor notified the infringement;
5 •
ICO.
Information Commissioner's Office
(i)where measures referred to in Article 58(2) have
previously been ordered against the controller or
processor concerned with regard to the same
subject-matter, compliance with those measures;
(j)adherence to approved codes of conduct pursuant
to Article 40 or approved certification mechanisms
pursuant to Article 42; and
(k) any other aggravating or mitigating factor
applicable to the circumstances of the case, such as
financial benefits gained, or losses avoided, directly
or indirectly, from the infringement.
17. The DPA contains enforcement provisions in Part 6 which are exercisable
by the Commissioner. Section 155 of the DPA ("Penalty Notices")
provides that:
(1) If the Commissioner is satisfied that a person
(a) has failed or is failing as described in section
149(2) ...,
the Commissioner may, by written notice (a "penalty
notice"), require the person to pay to the
Commissioner an amount in sterling specified in the
notice.
(2) Subject to subsection (4), when deciding whether to
give a penalty notice to a person and determiningthe
amount of the penalty, the Commissioner must have
regard to the following, so far as relevant-
(a) to the extent that the notice concerns a matter to
which the GDPR applies, the matters listed in Article
83(1) and (2) of the GDPR.
18. The failures identifiedin section 149(2) DPA are, insofar as relevant
here:
6 •
ICO.
Information Commissioner's Office
(2) The first type of failure is where a controller or
processor has failed, or is failing, to comply with any of the
following-
(a) a provision of Chapter II of the GDPR or Chapter
2 of Part 3 or Chapter 2 of Part 4 of this Act
(principles of processing);
.,.
(c) a provision of Articles 25 to 39 of the GDPR or
section 64 or 65 of this Act (obligations of controllers
and processors) [...]
Factual background to the incident
19. HIV Scotland is a charity which provides support for individuals
living with HIV, individuals who may be at risk of HIV, and individuals
who support those groups.
20. HIV Scotland's Community Advisory Network ("CAN") brings
together patient advocates from across Scotland to represent the full
diversity of people living with HIV. Individuals sign up to be part of this
network to help support and inform the work of HIV Scotland. Semi
regular email updates are sent to the group, usually surrounding one of
their quarterly meetings.
21. Having identified its onlineailing/database programme as a key
organisationalpriority in April 2019, in June 2019 HIV Scotland made a
decision to procure a MailChimp account. The procurement took place
in July 2019. Over the following months a number of lists held by HIV
Scotland were migrated to MailChimp to provide the necessary
functionalitfor bulk messages to be sent in a more secure manner.
However, by the time of the incident, the CAN list was not one of those
which had been migrated.
7 •
ICO.
Information Commissioner's Office
22. On 3 February 2020, HIV Scotland sent
an email using Microsoft Outlook, containing an agenda for an event
taking place on 8 February 2020, to 105 individual members of HIV
Scotland's CAN. The agenda provided details of the meeting's key
discussion points, and details of the meeting's location. Instead of
using the Blind Carbon Copy ("BCC") feature, the used
the Carbon Copy ("CC") feature, showing the email addresses of all
intended recipients to all that received the email.
23. 65 of 105 email addresses visible to the other recipients as part
of this communication clearly identified individuals by their name. The
breach was identified immediately,
Ithas not been possible for HIV
Scotland to determine how successful the recall was.
24. Itis noted that two recipients responded to HIV Scotland to
highlight the incident.
25. HIV Scotland contacted the ICO Helpline about the incident and
completed and submitted a breach report on the same day as the
incident. The incident was attributed to human error, with HIV Scotland
accepting that, in terms of the personal data disclosed, "[a]ssumption
could be made about individuals HIV status or risk".
26. Upon becoming aware of the error, HIV Scotland's chief
executive emailed all recipients to apologise. HIV Scotland also issued
a statement on its website, contacted the individuals involved to
apologise, and to ask that the email is deleteItalso offered personal
support in the event of any distress caused. HIV Scotland has advised
that 12 individuals contacted it to thank it for the apology.
8 •
ICO.
Information Commissioner's Office
28. It is understood that MailChimp is now fully implemented and
operational so the risk of a repeat incident is significantly reduced and
very unlikely. In February 2020 HIV Scotland confirmed to the
Commissioner that it has "now completed the migration to Mai/Chimp
to ensure that the error of failing to BCC a group email can no longer
29. As a result of the breach, HIV Scotland decided to fully audit all
of its security and data management procedures and a full search of its
SharePoint Server was completed to ensure no personal information
was stored separately from its secure mailing lists.
30. The Commissioner has considered whether these facts constitute
a contraventionof the data protection legislation.
The Contraventions of Article S(l)(f),32(1) and (2) of the GDPR
31. For the reasons set out below, the Commissioner takes the view
from her investigation that this breach occurred primarily as a result of
serious deficiencies in HIV Scotland's technical and organisational
measures.
32. It is accepted that HIV Scotland did have some policies and
associated measures, whether in place or in progress, at the time of
the breach, and the Commissioner has considered these below:
9 •
ICO.
Information Commissioner's Office
a) HIV Scotland advised that all employees would be asked to read and
refer to the HIV Scotland's Privacy Policy as well as highlight it to
those who contact them when relevant.
b) HIV Scotland confirmedthat all staff have access to an online
training hub called 'BOLT Spark' and are required to complete 11
training modules within the first three months of their employment,
including GDPR (called "EU GDPR Awareness for All") which contains
an assessed module on data protection and specifically GDPR.
c)
was aware of
the privacy policy and expectations to meet GDPR requirements,
includingthe use of BCC for group emails.
d) HIV Scotland wereat the time of the breach in the process of
migrating its databases/lists to MailChimp in order to introduce the
ability to securely email group contacts on all mailing lists held by
them.
33. Whilst it is accepted that HIV Scotland had taken some steps as
detailed above, the Commissioner finds that they were not sufficient.
The Commissioner's findings are detailed below:
a) HIV Scotland did not have a specific Policy on the secure handling of
personal data within the organisation. Rather, the Policy staff relied
on related to HIV Scotland's own Privacy Policy, and was the public
facing statement covering points such as Cookie use, and data
subject access rights; it was not an appropriate Data Protection
Policy which focused on staff handling of personal data. The Privacy
Policy referenced by HIV Scotland provided no guidanceo staff on
the handling of personal data itself, for example, what they must do
10 •
ICO.
Information Commissioner's Office
to ensure that it is kept secure. This is something which the
Commissioner would expect from an organisation handling personal
data, and would expect it to maintain policies regarding, amongst
other things, confidentiality.
b) The used by HIV Scotland includes
an entry for day one as "Explanatof data processing, GDP&
email use inc. BBC for group emails" (sic) which appears to suggest
that the use of BCC for group emails was deemed an acceptable
method of group-email contact.
c) HIV Scotland stated in its initial breach notification,
HIV Scotland confirmed that employees are expected to complete
the "EU GDPR Awareness for All" on an annual basis. The
Commissioner considers it a weakness and a risk that the data
protection course is expected to be completed
when it should have been much sooner and
certainly before an employee handled personal data. Whilst there is
no fixed requirement within the DPA or the GDPR as to the type of
data protection training an employee should undertake, or when it
should be provided, as part of a controller's organisational measures
to safeguard personal data the Commissioner would expect an
organisation to train employees handling personal data, and in
particular data which is special category in nature or by inference
beforean individual is given access to such data. The
Commissioner's current guidance on this (as contained in the
11 •
ICO.
Information Commissioner's Office
'AccountabilityFramework' package 1) recommends that staff receive
inductiontraining prior to accessing personal data and within one
month of their start date.
d) Regarding the implementation of Mailchimp, the Commissioner
notes that when asked for its reasons for procuring Mailchimp, HIV
Scotland advised that "when I [the HIV Scotland representative]
took over as Chief Executive, the system for storing data was poor
in the organisation. It involved a variety of different excel
spreadsheets that individual staff controlled. This meant that if
someone asked to be removed from a mailing list; the process was
difficult and hard to confirm every entry had been deleted. When we
hired our Communications Lead, we highlighted an online
mailing/database programme as a key priority in April 2019." (sic).
HIV Scotland stated further during the Commissioner's investigation
that "[d]ue to the impending event, we had not yet moved the
Advisory Network mailing list over to Mai/Chimp to ensure everyone
was still receiving the emails." The "impending event" referred to is
the CAN event of 8 February 2020, to which the email agenda that
was sent on 3 February 2020 without the use of BCC pertains. HIV
Scotland further confirmed that they had procured MailChimp and
other groups had been transferred onto it, but they held off doing
that for this particular CAN group because of the immediacy of the
event that formed the content of the email of 3 February 2020.
They were concerned that if they had used MailChimp for
communication in relation to the impending event, that the emails
may have caused disruption by ending up in the junk folder or
appearing to have been sent by someone else. It is clear from HIV
Scotland's reasons for procuring Mailchimp that it had identified the
1https ://ico .org.uk/for-orga nisations/ accounta biIity-fra mework/trai ning-and-awa reness/i nduction-a nd-refresher-tra ining/
12 •
ICO.
Information Commissioner's Office
need for improvements to online mailings as early as ten months
prior to the breach.
The Commissioner understands that Mailchimp was in fact procured
in July 2019but was not adequately implemented by the time of the
breach on 3 February 2020.
Mailchimp providedthe necessary functionalitfor bulk messages to
be sent in a more secure manner. The Commissioner is of the view
that if it had been appropriateimplemented when communicating
with users and supporters of HIV Scotland's services via email, it
would have prevented the disclosure of those users' email
addresses. In short, it would have prevented both the occurrence
and consequence of the breach.
The Commissioner's investigation into this matter has determined
that despite a clear recognition of the risks of the use of BCC,
insufficient stewere taken quickly enough to prevent the
disclosure of service users' emails. This is despite a solution having
already being procured and in use in regard to other areas of HIV
Scotland's estate. This represents a serious and negligent failure
take appropriate organisational and technical steps to reduce the
possibility of an incident occurring. If the use of Mailchimp had been
adequately risk assessed, scoped and prioritised, the Commissioner
takes the view that it is highly likely that this incident would not
have happened.
34. The Commissioner considers that the data concerned in this case
comprises of email addresses. An email address which clearly relates to
an identified or identifiable living individual is considered to be personal
data.
13 •
ICO.
Information Commissioner's Office
35. However, regarding the content of any email, this will not
automatically be personal data unless it includes information which
reveals something about that individual or has an impact on them.
36. In this case, it is considered that the content of the email,
specifically the agenda, combined with the identity of the organisation
sending the email, does reveal information about the recipients.
Namely, the receipts are identified as HIV Scotland CAN members, to
the extent that they have been invited to a CAN event hosted by the
organisation. Consequently, and to the extent to which 65 individuals
can be identified from the email distributionlist, special category data
can be inferred to a reasonable degree in so far as the disclosure of the
email addresses connects those individuals with an organisation that
provides HIV support services.
37. The Commissioner takes the view that even if the email
addresses and content of the email itself can be deemed not to
constitute special category data, it is clear that there are particular
sensitivities around the nature of the personal data being processed in
this situation that HIV Scotland should have considered in line with the
Commissioner's guidance on Special Category Data 2•
38. The Commissioner considers further that HIV Scotland has
previously demonstrated an increased awareness of the risks of such
conduct, given that on 17 June 2019 it had commented critically on its
website in relationto a similar issue involving a Health Board.
2https ://ico. org. uk/for-ouide-to-data-proteuide-to-the-general-data-protection
regulation-g dpr/ specia 1-category-d ata/what-i s#scd7i a1-category-d ata/
14 •
ICO.
Information Commissioner's Office
39. The Commissioner takes the view that by the time the HIV
Scotland breach occurred almost eight months later, and having
commented on the error experienced by another controller, HIV
Scotland were certainly aware of such a risk and should have ensured
they had adequate measures in place to prevent such an incident
within its own organisation.
40. HIV Scotland has confirmed that it received one formal complaint
regarding the incident but did not believe the points raised in the
complaint required any further action. HIV Scotland responded to the
complainant with its view at the time, although the Commissioner
considers that the complaint clearly identifies distress being
experienced by the complainant as a result of the breach.
41. Specifically,ith regard to the principle of integrity and
confidentialitunder Article (S)(l)(of the GDPR, the Commissioner
considersthat HIV Scotland failed to send a separate email to each
intended recipient, and instead utilised bulk email facility.
42. The Commissioner further finds that, notwithstandiits failure
to migrate the CAN list to the more secure MailChimp platform despite
it being available, HIV Scotland failed to use the BCC function of
Microsoft Outlook.
had completed the 'Explanation of data processing, GDPR& email use
inc BBC for group emails' (sic) awareness training
15 •
ICO.
Information Commissioner's Office
44. In regard to the requirementunder Articles 32(1) and (2) of the
GDPR to implement a level of security appropriate to the risk when
processing data,the Commissioner considers that HIV Scotland failed
to implement a level of security appropriate to the risk in this instance.
HIV Scotland had actively recognised the need for greater outbound
mailing security aumber of months prior to the breach, and had in
fact procured a MailChimp account which, if implementedwould have
mitigated the risk of a breach. However, it failed to implement this
level of security in relation to the CAN list which, had it done so, would
have significantly reducedhe likelihood of the breach occurring.
45. The Commissioner finds that HIV Scotland should have taken
particular account of the risks associated with processing the personal
data in this instance when assessing the appropriate level of security.
Given the nature of the CAN list, together with the significant delay
between procurement of MailChimp in July 2019 and its eventual
implementation which took place shortly after the breach in February
2020, it is clear that HIV Scotland failed to do this.
Notice of Intent
46. On 22 July 2021, in accordance with s.155(5) and paragraphs 2
and 3 of Schedule 16 DPA, the Commissioner issued HIV Scotland with
a Notice of Intent to impose a penalty under s.155 DPA. The Notice of
Intent described the circumstances and the nature of the personal data
breach in question, explainedhe Commissioner's reasons for a
proposed penalty, and invited written representatiofrom HIV
Scotland.
47. On 20 August 2021, HIV Scotland provided written
representationsin respect of the Notice, together with supporting
documentation in relation to its finances.
16 •
ICO.
Information Commissioner's Office
48. On 30 September 2021 the Commissioner held a 'representations
meeting' to thoroughly consider the representationprovided by HIV
Scotland. At that meeting it was determined that a monetary penalty
remained appropriate in all of the circumstances.
Factors relevant to whether a penalty is appropriate, and if so, the
amount of the penalty
49. The Commissioner has considered the factors set out in Article
83(2) of the GDPRin deciding whether to issue a penalty. For the reasons
given below, she is satisfiedhat (i) the contraventionare sufficiently
serious to justify issuing a penalty in addition to exercising her corrective
powers; and (ii) the contraventions are serious enough to justify a
significant fine.
(a) the nature, gravity and duration of the infringement taking into
account the nature, scope or purpose of the processing concerned as
well as the number of data subjects affected and the level of damage
suffered by them
50. On 3 February 2020 sent an
email using Microsoft Outlookto 105 individual members of HIV
Scotland'sCAN. The email contained an agenda for a forthcoming
meeting. Instead of using the BCC feature, used the
CC feature, showing the email addresses to all that received the email.
This was aone-off incident.
51. 65 individuals could potentially be identified as their names were
included inthe email address. The other email addresses did not have
identifiablenformation in the email address but could be used to
identify individuals in combination with other information e.g. the email
address could be used to search online to discover other details about
17 •
ICO.
Information Commissioner's Office
the individual. Whilst the data comprises email addresses which in
themselves are not considered special category data, it could be
inferred that the individuals they belong to are HIV positive or
supporting someone who is.
52. The Commissioner considers that it is at least possible that there
may be an element of distress associated with this breach. There has
been one formalcomplaint received by HIV Scotland, with the
complainant stating that their HIV status had been disclosed to
strangers and their choice to tell friends or family had been taken
away.
(b) the intentional or negligent character of the infringement
53. The Commissioner considers that there is no evidence of there
being an intentional aspect to this infringehowever the
Commissioner considers that the breach was negligent since the risks
of using Outlook for sensitive communications were known by HIV
Scotland either by reference to previous ICO enforcement action, or by
HIV Scotland's knowledge of a very similar recent incident involving
another controller. Furthermore, online mailing was a key priority area
identified by HIV Scotland in April 2019, some tenths before the
breach occurred. MailChimp was procured in July 2019 and yet the CAN
group was still not migrated to MailChimp by 3 February 2020. There
was also a degree of negligence in that HIV Scotland's policies and
procedures, and also the was
not sufficient at the time of the incident.
(c) any action taken by the controller or processor to mitigate the
damage suffered by data subjects
18 •
ICO.
Information Commissioner's Office
54. All affected recipients were emailed by HIV Scotland, and a
statement was put on its website very shortly after the incident
occurring. HIV Scotland also asked all recipients to delete the email. In
addition, the matter was addressed at the CAN meeting on 8 February
2020 when HIV Scotland outlined the action it had taken and offered
the chance for queries or concernsThe sole complaint has been dealt
with.
(dl the degree of responsibility of the controller or processor taking
into account technical and organisational measures implemented by
them pursuant to Articles 25 and 32
55. HIV Scotland should have been aware of previous, very similar
incidents that the ICO has fined and publicised. They were certainly
aware of a case involving a UK controller that occurred in June 2019
and identifiedhe need for a different system. MailChimp was procured
but 7 months had passed and the CAN group had not yet been
migrated to MailChimp at the time of the incident. HIV Scotland should
have adopted a risk-based approach and should have identifiedhe
CAN list as one of the more urgent groups, noting the potential for the
inference of special category data; it is for this reason that the
Commissioner is of the view that it should have prioritised its
migration. Whilst HIV Scotland's materials suggested that
'BCC' was sufficient as a means of engaging in group emails, it should
have identifiedhat this was a risk and at the very least put other
measures in place such as not sending group emails out and sending
such emails individually until MailChimp was fully implemented.
(el any relevant previous infringements by the controller or
processor
56. The Commissioner is unaware of any previous data protection
infringementsby HIV Scotland.
19 •
ICO.
Information Commissioner's Office
(f) the degree of cooperation with the supervisory authority, in
order to remedy the infringement and mitigate the possible adverse
effects of the infringement
57. HIV Scotland were fully cooperative with the Commissioner's
investigation.
(g) the categories of personal data affected by the infringement
58. Whilst the disclosed data comprises email addresses which in
themselves are not considered special category data, the
Commissioner is of the view that it can be reasonably inferred that the
individuals whose email address were impacted included individuals
who are HIV positive or at risk of contracting the virus.
(h) the manner in which the infringement became known to the
supervisory authority, in particular whether, and if so to what extent,
the controller or processor notified the infringement
59. HIV Scotland notified the Commissioner about the breach on 3
February 2020. HIV Scotland contacted the Commissioner's Helpline
about the incident and completed the necessary 'breach report' within
2 hours of the incident occurring.
(i) where measures referred to in Article 58(2) have previously
been ordered against the controller or processor concerned with
regard to the same subject-matter, compliance with those measures;
60. Not applicable.
(j) adherence to approved codes of conduct pursuant to Article 40
or approved certification mechanisms pursuant to Article 42;
61. Not applicable.
20 •
ICO.
Information Commissioner's Office
(k) any other aggravating or mitigating factor applicable to the
circumstances of the case, such as financial benefits gained, or
losses avoided, directly or indirectly,from the infringement.
62. The Commissioner has considered the following aggravating
factor in this case:
• The Commissioner has previously taken action against
organisations for similar breaches. As such, the Commissioner
takes the view that the risks of these kind of disclosures and the
consequences for the potential harm that might be caused to
data subjects was a matter that had been reported on both in
mainstream and trade (privacy professional) media.
63. The Commissioner has considered the following mitigating
factors in this case:
• are asked to read and refer to HIV
Scotland's privacy policy - whilst this does not provide sufficient
guidance or information generally about what are
required to do, it demonstrates that data protection
considerations are not entirely absent from HIV Scotland's
induction process.
• MailChimp had been procured but at the time of the breach the
CAN group had not been migrated. The plan was that the group
would be told about this at the meeting on 8 February 2020 so
that they would be aware and to avoid emails going to 'Spam' or
it not being clear who they were from. Full migration to
MailChimp is now completed. Whilst the failure to implement this
solution quickly is a material fact to the seriousness of the
21 •
ICO.
Information Commissioner's Office
infringements, its procurement demonstrates that consideration
of the improvements that could be made, specifically the security
of email communications, was not entirely absent.
• The organisation has a training portal for-with mandatory
GDPRtraining refreshed every year.
• HIV Scotland took steps to remedy the incident by asking all
recipients to delete the email on the same day that it was sent,
and also added a message to its website.
Summary and decided penalty
64. For the reasons set out above, the Commissioner has decided to
impose a financial penalty on HIV ScotlandThe Commissioner has
taken into account the size of HIV Scotland, publicly available
information regarding its finances, and the representatimade by
HIV Scotland as to its financial position. She is mindful that the penalty
must be effective, proportionatand dissuasive.
65. Taking into account all of the factors set out above, the
Commissioner has decided to impose a penalty on HIV Scotland of
£10,000 (ten thousand pounds).
Payment of the penalty
66. The penalty must be paid to the Commissioner's office by BACS
transfer or cheque by 16 November 2021 at the latest. The penalty is
not kept by the Commissioner but will be paid into the Consolidated
Fund which isthe Government's general bank account at the Bank of
England.
22 •
ICO.
Information Commissioner's Office
67. There is a right of appeal to the First-tier Tribunal (Information
Rights) against:
(a) The imposition of the penalty; and/or,
(b) The amount of the penalty specified in the penalty notice
68. Any notice of appeal should be received by the Tribunal within 28
days of the date of this penalty notice.
69. The Commissioner will not take action to enforce a penalty
unless:
• the period specified within the notice within which a penalty must
be paid has expired and all or any of the penalty has not been
paid;
• allrelevant appeals against the penalty notice and any variation
of it have either been decided or withdrawn;and
• the period for appealing against the penalty and any variation of
it has expired.
70. In England, Wales and Northern Ireland, the penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the penalty can be enforced in the same manner as an
extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
71. Your attention is drawn to Annex 1 to this Notice, which sets out
details of your rights of appeal under s.162 DPA.
23 •
ICO.
th Information Commissioner's Office
Dated the 18day of October 2021
Director of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
24 •
ICO.
Information Commissioner's Office
ANNEX 1
DATA PROTECTION ACT 2018
Rights of appeal against decisions of the Commissioner
1. Section 162 of the Data Protection Act 2018 gives any person upon
whom a penalty notice or variation notice has been served a right of
appeal to the First-tier Tribunal (InformaRights) (the 'Tribunal')
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of discretion by
the Commissioner, that she ought to have exercised her
discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
General Regulatory Chamber
HM Courts &Tribunals Service
PO Box 9300
Leicester
LEl 8DJ
Telephone: 0203 936 8963
25 •
ICO.
Information Commissioner's Office
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The noticeof appeal should state:-
a) your name and address/name and address of your representative
(if any);
b) an address where documents may be sent or delivered to you;
c) the name and address of the Information Commissioner;
d) detailsof the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the penalty
notice or variation notice;
h) if you have exceeded the time limit mentioned above the notice
of appeal must include a request for an extension of time and the
reason why the notice of appeal was not provided in time.
26 •
ICO.
Information Commissioner's Office
5. Before deciding whether or not to appeal you may wish to consult your
solicitor or another advAt the hearing of an appeal a party may
conduct his case himself or may be represented by any person whom
he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier Tribunal
(General Regulatoryhamber) are contained in sections 162 and 163
of, and Schedule 16 to, the Data Protection Act 2018, and Tribunal
Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules
2009 (StatutorInstrument2009 No. 1976 (L.20))
27
