ICO (UK) - The Central Young Men’s Christian Association

From GDPRhub
Revision as of 16:12, 7 May 2024 by Mg (talk | contribs) (→‎Holding)
ICO - The Central Young Men’s Christian Association
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
UK GDPR
Type: Investigation
Outcome: Violation Found
Started: 14.12.2022
Decided: 30.04.2024
Published:
Fine: 7,500 GBP
Parties: The Central Young Men’s Christian Association (Central YMCA)
National Case Number/Name: The Central Young Men’s Christian Association
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: lm

The DPA imposed a monetary penalty of €8,730 (£7,500) on the YMCA for violating UK GDPR security obligations by sending an email containing special categories of data to recipients using carbon copy instead of blind carbon copy.

English Summary

Facts

The Central Young Men’s Christian Association (the controller) offers a Positive Health Programme (Programme), which is an exercise scheme for people living with HIV. As part of the Programme, the Central YMCA collects special categories of data including referrals, dates of HIV diagnosis, medications taken, medical statistics, referring hospitals or clinicians and other medical history.

On 6 October 2022, a coordinator of the Programme sent an email to a mailing list of 270 recipients. The recipients were entered into the carbon copy (CC) function rather than the blind carbon copy (BCC) function, revealing the email addresses of all 270 recipients. The controller became aware of the breach the following day upon receiving complaints from affected data subjects. Upon realising the error, the coordinator attempted to unsend the email, but unintentionally sent a second email to all 270 recipients with the email addresses again entered in the CC function. Accounting for duplicates, 264 email addresses were disclosed in the breach, of which 115 had clear names and 51 had partial names that made them potentially identifiable. Thus, 166 data subjects were affected by the breach.

The controller reported the breach to the Information Commissioner’s Office (ICO) on 7 October 2022. On 10 October 2022, the controller notified the affected data subjects, took accountability of its error and informed data subjects of the steps it was taking.

At the time of the breach, the controller had a verbally communicated policy that the Programme staff should send event invitations using the BCC function. The controller had access to an email marketing tool which would permit for the sending of individual emails to each recipient, but it did not use this tool in sending emails relating to the Programme.

The controller waived its opportunity to respond to the ICO’s Notice of Intent and instead accepted the Notice and the ICO’s findings. It took remedial steps, conducting an audit of how external communications were being undertaken across the organisation and issuing new procedures to provide appropriate guidance on sending secure emails. The controller also updated its data protection training.

Holding

The ICO found that the controller violated Articles 5(1)(f) and 32 UK GDPR. It issued a monetary penalty of €8,730 (£7,500) as well as a reprimand. The ICO found that the breach resulted from serious deficiencies in the controller’s technical and organizational measures, demonstrating violations of Articles 5(1)(f) and 32 UK GDPR.

First, the controller had access to an email marketing platform which would have reduced the likelihood of an inappropriate disclosure. However, it failed to use this tool for Programme emails even though it had the financial and organizational means to do so. The use of BCC sending instead was a high-risk method of sending emails due to human error. Given this risk, the ICO considered it irrelevant whether or not the policy requiring this practice was written down.

Second, the controller did not provide data protection training specific to employee roles or levels of access to personal data. In this case, the coordinator was a self-employed contractor. The controller’s policy had been to provide training only to employees, and the coordinator had thus not completed any data protection training. Even after the policy changed and training was extended to contractors, the coordinator was still not trained.

Third, the controller did not effectively monitor completion of data protection training. At the time of the investigation, 27% of the controller’s workers – including the coordinator who sent the incident email – had not completed the data protection training.

Finally, the controller’s data protection training was deficient. The ICO found considerable lack of awareness concerning data protection legislation within some parts of the organisation; for example, employees initially did not consider the breach a concern because the email contained no private information.

Initially, the ICO considered that a penalty of €349,000 (£300,000) would be appropriate to reflect the seriousness of the breach. However, taking into account the ICO’s action on previous cases and new policy on imposing monetary penalties, the ICO reduced the fine to €8,730. In calculating the penalty, the ICO took account of the controller’s four-day delay in notifying data subjects of the breach, negligence causing the infringement, remedial measures taken, responsibility of for the breach’s occurrence, lack of previous infringements, cooperation with the ICO and the high sensitivity of the data. Given that the emails were clearly directed at individuals with HIV, the ICO determined that the incident involved a special category of data or at the least carried a risk of inference that may be considered sensitive. It considered the violation serious due to the sensitivity of the personal data involved.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 (PART 6, SECTION 155)


    SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                       MONETARY PENALTY NOTICE



TO:   The Central Young Men’s Christian Association ("the Central YMCA")


OF:   112 Great Russell Street, London WC1B 3NQ.


Introduction and Summary




1.    The Information Commissioner ("the Commissioner") has decided to issue

      the Central YMCA with a monetary penalty under section 155 of the Data

      Protection Act 2018 (“the DPA”). The penalty notice imposes an

      administrative fine on the Central YMCA, in accordance with the
      Commissioner's powers under Article 83 of the General Data Protection

      Regulation 2016 (the "UK GDPR"). The amount of the penalty is £7,500

      (seven thousand five hundred pounds).




2.    The penalty is in relation to contraventions of Articles 5(1)(f) and 32(1)

      and (2) of the UK GDPR and an incident on 6 October 2022 (the “relevant
      date”) affecting personal data processed by the Central YMCA on the

      relevant date.



3.    For the reasons set out in this Monetary Penalty Notice, the Commissioner

      has found that the Central YMCA failed to ensure appropriate security of


                                      1      personal data in its control by implementing appropriate technical and

      organisational measures and appropriate policies and procedures, as

      required by Article 5(1)(f) and Article 32(1) of the UK GDPR.


4.    This Monetary Penalty Notice explains the Commissioner's decision,

      including the Commissioner's reasons for issuing the penalty and for the

      amount of the penalty. The Central YMCA has had an opportunity to make

      representations to the Commissioner in response to the Notice of Intent
      regarding this penalty. Instead of making representations the Central

      YMCA has decided to accept the Notice of Intent and the Commissioner’s

      findings.


Legal Framework



Obligations of the Controller



5.    The Central YMCA is a controller for the purposes of the UK GDPR and the

      DPA, because it determines the purposes and means of processing of

      personal data (UK GDPR Article 4(7)).


6.    “Personal data” is defined by Article 4(1) of the UK GDPR to mean:


            “information relating to an identified or identifiable natural person

            (‘data subject’); an identifiable natural person is one who can be

            identified, directly or indirectly, in particular by reference to an

            identifier such as a name, an identification number, location data,
            an online identifier or to one or more factors specific to the physical,

            physiological, genetic, mental, economic, cultural or social identity

            of that natural person.”



                                        27.    “Processing” is defined by Article 4(2) of the UK GDPR to mean:


            “any operation or set of operations which is performed on personal

            data or on sets of personal data, whether or not by automated

            means, such as collection, recording, organisation, structuring,
            storage, adaptation or alteration, retrieval, consultation, use,

            disclosure by transmission, dissemination or otherwise making

            available,  alignment   or  combination,    restriction, erasure   or

            destruction”


8.    Article 9 of the UK GDPR prohibits the processing of “special categories of

      personal data” unless certain conditions are met. The special categories
      of personal data subject to Article 9 include:



            “personal data revealing racial or ethnic origin, political opinions,

            religious or philosophical beliefs, or trade union membership, and

            the processing of genetic data, bio-metric data for the purpose of

            uniquely identifying a natural person, data concerning health or
            data concerning a natural person’s sex life or sexual orientation”.



9.    Controllers are subject to various obligations in relation to the processing

      of personal data, as set out in the UK GDPR and the DPA. They are obliged

      by Article 5(2) to adhere to the data processing principles set out in Article
      5(1) of the UK GDPR. Article 5(2) makes clear that the “controller shall

      be responsible for, and be able to demonstrate compliance with,

      paragraph 1 ('accountability')".



10.   In particular, controllers are required to implement appropriate technical

      and organisational measures to ensure that their processing of personal



                                        3      data is secure, and to enable them to demonstrate that their processing

      is secure. Article 5(1)(f) ("Integrity and Confidentiality") stipulates that:


            “Personal data shall be […] processed in a manner that ensures

            appropriate security of the personal data, including protection
            against unauthorised or unlawful processing and against accidental

            loss, destruction or damage, using appropriate technical or

            organisational measures”.


11.   Article 32 of the UK GDPR also provides that:


            “1. Taking into account the state of the art, the costs of

            implementation and the nature, scope, context and purposes of

            processing as well as the risk of varying likelihood and severity for

            the rights and freedoms of natural persons, the controller and the
            processor shall implement appropriate technical and organisational

            measures to ensure a level of security appropriate to the risk,

            including inter alia as appropriate:



            (a)    the pseudonymisation and encryption of personal data;


            (b)    the ability to ensure the ongoing confidentiality, integrity,

                   availability and resilience of processing systems and services;


            (c)    the ability to restore the availability and access to personal

                   data in a timely manner in the event of a physical or technical

                   incident;


            (d)    a process for regularly testing, assessing and evaluating the

                   effectiveness of technical and organisational measures for
                   ensuring the security of the processing.


                                        4            2. In assessing the appropriate level of security account shall be

               taken in particular of the risks that are presented by processing,

               in particular from accidental or unlawful destruction, loss,

               alteration, unauthorised disclosure of, or access to personal data
               transmitted, stored or otherwise processed."




The C ommissioner’s Powers of Enforcement


12.   The Commissioner is the supervisory authority for the UK, as provided for

      by Article 51 of the UK GDPR.


13.   By Article 57(1) of the UK GDPR, it is the Commissioner’s task to monitor

      and enforce the application of the UK GDPR.


14.   By Article 58(2)(d) of the UK GDPR the Commissioner has the power to

      notify controllers of alleged infringements of the UK GDPR. By Article

      58(2)(i) he has the power to impose an administrative fine, in accordance
      with Article 83, in addition to or instead of the other corrective measures

      referred to in Article 58(2), depending on the circumstances of each

      individual case.


15.   By Article 83(1), the      Commissioner    is required   to ensure    that

      administrative fines issued in accordance with Article 83 are effective,

      proportionate, and dissuasive in each individual case. Article 83(2) goes

      on to provide that:


            “When deciding whether to impose an administrative fine and

            deciding on the amount of the administrative fine in each individual

            case due regard shall be given to the following:


                                       5(a) the nature, gravity and duration of the infringement

taking into account the nature scope or purpose of the

processing concerned as well as the number of data subjects

affected and the level of damage suffered by them;


(b) the intentional or negligent character of the infringement;



(c) any action taken by the controller or processor to mitigate

the damage suffered by data subjects;


(d) the degree of responsibility of the controller or processor

taking into account technical and organisational measures

implemented by them pursuant to Articles 25 and 32;



(e) any relevant previous infringements by the controller or
processor;



(f) the degree of cooperation with the supervisory authority,

in order to remedy the infringement and mitigate the possible

adverse effects of the infringement;


(g) the   categories  of  personal   data  affected  by  the

infringement;



(h) the manner in which the infringement became known to

the supervisory authority, in particular whether, and if so to
what extent,    the  controller or  processor   notified the

infringement;


                     6                  (i) where measures referred to in Article 58(2) have

                  previously been ordered against the controller or processor

                  concerned    with  regard   to  the   same    subject-matter,

                  compliance with those measures;


                  (j) adherence to approved codes of conduct pursuant to

                  Article 40 or approved certification mechanisms pursuant to

                  Article 42; and



                  (k) any other aggravating or mitigating factor applicable to

                  the circumstances of the case, such as financial benefits

                  gained, or losses avoided, directly or indirectly, from the

                  infringement.”


16.   Article 83(5) UK GDPR provides, inter alia, that infringements of the

      obligations imposed by Article 5 UK GDPR on the controller and processor

      will, in accordance with Article 83(2), be subject to administrative fines

      of up to €20 million or, in the case of an undertaking, up to 4% of its total

      worldwide annual turnover of the preceding financial year, whichever is

      higher.


17.   The DPA contains enforcement provisions in Part 6 which are exercisable

      by the Commissioner.  1 Section 155 of the DPA sets out the matters to

      which the Commissioner must have regard when deciding whether to

      issue a penalty notice and when determining the amount of the penalty

      and provides that:



1Section 115 DPA establishes that the Commissioner is the UK's supervisory authority for the purposes
of the UK GDPR.
                                       7            “(1) If the Commissioner is satisfied that a person—



                  (a) has failed or is failing as described in section 149(2) …,


                  the Commissioner may, by written notice (a "penalty notice"),

                  require the person to pay to the Commissioner an amount in

                  sterling specified in the notice.


            (2) Subject to subsection (4), when deciding whether to give a

            penalty notice to a person and determining the amount of the

            penalty, the Commissioner must have regard to the following, so

            far as relevant—



                  (a) to the extent that the notice concerns a matter to which
                  the GDPR applies, the matters listed in Article 83(1) and (2)

                  of the UK GDPR.”




18.   The failures identified in section 149(2) DPA are, insofar as relevant here:


            “(2) The first type of failure is where a controller or processor has

            failed, or is failing, to comply with any of the following—


                  (a) a provision of Chapter II of the UK GDPR or Chapter 2 of

                  Part 3 or Chapter 2 of Part 4 of this Act (principles of

                  processing);



                  …;





                                       8                  (c) a provision of Articles 25 to 39 of the UK GDPR or section

                  64 or 65 of this Act (obligations of controllers and processors)

                  […]”



19.   Schedule 16 includes provisions relevant to the imposition of penalties.

      Paragraph 2 makes provision for the issuing of notices of intent to impose
      a penalty, as follows:



            “(1) Before giving a person a penalty notice, the Commissioner

            must, by written notice (a "notice of intent") inform the person that

            the Commissioner intends to give a penalty notice.”



The Commissioner's Regulatory Action Policy



20.   Pursuant to section 160(1) DPA, the Commissioner published his
      Regulatory Action Policy ("RAP”) on 7 November 2018.



21.   The process the Commissioner will follow in deciding the appropriate

      amount of a penalty to be imposed is described in the RAP from page 27

      onwards. In particular, the RAP sets out the following five-step process:


         a. Step 1. An ‘initial element’ removing any financial gain from the

            breach.



         b. Step 2. Adding in an element to censure the breach based on its

            scale and severity, taking into account the considerations identified
            at section 155(2) - (4) DPA.





                                      9         c. Step 3. Adding in an element to reflect any aggravating factors. A

            list of aggravating factors which the Commissioner would take into

            account, where relevant, is provided at page 11 of the RAP. This
            list is intended to be indicative, not exhaustive.



         d. Step 4. Adding in an amount for deterrent effect to others.



         e. Step 5. Reducing the amount (save that in the initial element) to
            reflect any mitigating factors, including ability to pay (financial

            hardship). A list of mitigating factors which the Commissioner would

            take into account, where relevant, is provided at page 11-12 of the

            RAP. This list is intended to be indicative, not exhaustive.




Circumstances of    the Failure: Facts



General Background



22.   This Penalty Notice does not purport to identify exhaustively each and
      every circumstance and document relevant to the Commissioner’s

      investigation. The circumstances and documents identified below are a

      proportionate summary.



23.   The Central YMCA is an education and wellbeing charity registered as a

      data controller with the Information Commissioner's Office (the "ICO"). It
      provides a number of community programmes, one of which is the

      Positive Health Programme.






                                      1024.   The Positive Health Programme ("Programme") is run by the Positive

      Health team as part of YMCA Club. YMCA Club is a large gym facility,

      which is part of the Central YMCA.


25.   The Programme is an exercise scheme for people living with HIV. As part

      of the Programme, the Central YMCA collects special category data (the

      aims of referral to the Programme, the date of HIV diagnosis, the

      medication taken, the individual's medical statistics, other medical history
      and their referring clinician/hospital).



26.   On 6 October 2022 at approximately 15:34 BST, a co-ordinator for the

      Programme sent an email to a mailing list of 270 recipients, inviting them

      to a talk about nutrition.


27.   The Programme co-ordinator used an email programme (Microsoft

      Outlook) to send the email. At the relevant date, the Central YMCA had a
      verbally communicated policy that the Programme team should send

      event invitations via Microsoft Outlook using the blind carbon copy

      (“BCC”) function.


28.   The co-ordinator unfortunately included those email addresses in the

      carbon copy (“CC”) function, thus revealing all of the email addresses to

      all 270 recipients.


29.   The day after, on realising the error, the co-ordinator used the recall

      function within Microsoft Outlook to try and recall the email sent. This
      however led to another email to all 270 recipients. It was the Programme

      team's belief that this would remove the original message from the

      recipients' inboxes.




                                     11The number of data subjects involved


30.   Whilst the emails had been sent to 270 recipients, there were duplicates,

      so they were sent to 264 unique email addresses.


31.   The emails were not delivered to 9 of those email addresses, so the emails

      were delivered to 255 recipients, disclosing 264 email addresses.



32.   The Central YMCA then assessed that 115 of those had clear names in
      them, and a further 51 contained at least part of a name, making them

      potentially identifiable. Therefore 166 data subjects were affected by the

      breach, all of whom are in the Programme.



The nature of the personal data and special category data disclosed


33.   As part of its guidance and resources relating to UK GDPR, the

      Commissioner has produced detailed guidance in relation to special

      category data. The guidance includes a sub-section titled 'What is special

      category data?' which establishes that special category data is not just

      personal data which specifies relevant details but also personal data
      "revealing or concerning" those details. The test to be met is whether the

      relevant information can be inferred with a reasonable degree of

      certainty, and if so, it is likely to be special category data.



34.   As well as the disclosure of 166 email addresses containing personal data,

      the context of the email was the Programme. The invite to the event for
      nutrition guidance to individuals meant that it can be reasonably assumed

      that the recipients of the email would be aware that the Programme is

      directed at individuals with HIV. If the recipients were not part of the

                                      12      Programme, they could find out what the Programme was on the Central

      YMCA's website.


35.   Recipients of the email can therefore infer from its contents that the 166

      individuals whose email addresses were disclosed in the breach were

      likely to be living with HIV, meaning that the disclosed personal data

      included health data, which in turn is special category data under Article

      9(1) of the UK GDPR.


36.   The Central YMCA had also set expectations of privacy in its Programme,
      and that some members of the Programme may have wished to remain

      anonymous, even to other members of the Programme, whilst noting that

      "all recipients are assumed to have an HIV positive diagnosis".


37.   Even if the personal data was not considered to be special category data,

      there are particular sensitivities regarding the personal data being

      processed in the Programme, which the Central YMCA should have

      considered and taken a cautious approach when processing it, as set out
      in the Commissioner's guidance referred to in paragraph 33:


           "If you think the data carries a risk of inferences that might be

           considered sensitive or private, even if this falls short of revealing

           something about one of the special categories with any level of

           certainty, then you should also carefully consider fairness issues

           and whether there is anything more you can do to minimise privacy

           risks."


Discovery    of  the  breach,    reporting   to  the   Commissioner     and
communications to data subjects





                                     1338.   The Central YMCA became aware of the breach on the morning after the

      email was sent, as a result of complaints received from recipients.


39.   The YMCA Club informed the Central YMCA's Data Protection Officer (DPO)

      later that morning, with a breach report being made to the ICO that

      evening. This was in line with Article 33 of the UK GDPR and within the

      72 hour period.


40.   In accordance with Article 34 of the UK GDPR the Central YMCA notified

      affected data subjects on 10 October 2022, setting out the cause of the

      breach, took accountability for the error and informed data subjects of

      the steps the Central YMCA were taking, including reporting the incident

      to the ICO and conducting an internal review. The data controller provided

      the DPO’s contact details for anyone affected to ask questions or to
      discuss how the breach had affected them.



The Commissioner’s Investigation



41.   The Commissioner first wrote to the Central YMCA on 14 December 2022
      asking for further information in relation to the actions the Central YMCA

      had taken following the data breach notification it had made on 7 October

      2022. During the period between February 2023 and April 2023,

      subsequent enquiries were raised by the Commissioner seeking additional

      information from the Central YMCA.


42.   The Commissioner's investigation found four key areas where the Central

      YMCA failed to take reasonable steps to prevent this breach:


         a. The Central YMCA had no written policy in place regarding the

            sending of group emails,

                                      14         b. The Central YMCA had access to an email marketing platform (and

            the use of this platform would have reduced the likelihood of an

            inappropriate disclosure) however the Central YMCA did not use it
            in this case,

         c. The Central YMCA failed to effectively monitor completion of data

            protection training, and

         d. There is evidence of deficiencies within the Central YMCA's data

            protection training.



The Contraventions of Articles of 5 (1)(f) and 32 (1) and (2) of the UK

GDPR



43.   The Commissioner has considered whether the facts set out above

      constitute a contravention of the data protection legislation.


44.   For the reasons set out below, the Commissioner has taken the view from

      his investigation that this breach occurred as a result of serious

      deficiencies in the technical and organisational measures implemented by

      the Central YMCA.


45.   For the reasons set out below, and having carefully considered the

      information provided by the Central YMCA, the Commissioner's view is

      that the Central YMCA failed to comply with Articles 5 (1)(f) and 32(1)

      and (2) of the UK GDPR.




Article 5 (1)(f) and 32(1) and (2) of the UK GDPR





                                     1546.   The Commissioner finds that the Central YMCA has failed to comply with

      the requirements of Article 5(1)(f) of the UK GDPR, including to process

      personal data "in a manner that ensures appropriate security of the data,
      including protection against unauthorised or unlawful processing, using

      appropriate technical or organisational measures". In making this

      determination, the Commissioner takes into account the Central YMCA's

      failure to comply with Articles 32(1), 32(1)(a), 32(1)(b) and 32(2) of the

      UK GDPR, which was demonstrated by the Central YMCA's failure to
      implement appropriate technical and organisational measures:



         a. not having a relevant written policy or procedure in place;

         b. inappropriately relying on the use of BCC to send group emails;

         c. not providing data protection training specific to employee roles and

            levels of access to personal data;
         d. a lack of awareness of data protection legislation within some parts

            of the organisation; and

         e. not effectively monitoring completion of data protection training.



            (1) not having a relevant written policy or procedure


47.   At the time of the security incident, the Central YMCA did not have

      sufficient written information security policies or procedures to prevent

      this breach. It only had a verbal policy to use BCC in emails, both of which

      are insufficient and not appropriate for managing special category data.

      It also communicated relatively frequently using this method.


48.   Another part of the Central YMCA (the Communications and Marketing

      team) had an email marketing tool, BrotherMailer, which could have been

      used to mitigate this risk and handle the special category data


                                       16      appropriately, by sending individual emails to each recipient. However,

      the Central YMCA did not know that the Programme was sending emails

      of this nature.


49.   Relevant industry standards and guidance, including ISO27001, NIST

      Cyber Security Framework, and the ICO and National Cyber Security

      Centre co-published guidance, "GDPR Security Outcomes", establish that

      organisations should have written security policies and procedures in
      place.



50.   ISO27001 recommends that: “A set of policies for information security

      shall be defined, approved by management, published and communicated

      to employees and relevant external parties”. The NIST Cyber Security

      Framework requires that an: “Organizational cybersecurity policy is
      established and communicated”, and the GDPR Security Outcomes sets

      out that to protect personal data against cyber-attacks organisations

      should "define, implement, communicate and enforce appropriate policies

      and processes that direct your overall approach to securing systems

      involved in the processing of personal data".


51.   It is the Commissioner's view that the lack of documented and

      appropriate security policies and procedures to deal with the sending of

      emails with special category data was in non-compliance with Article

      32(1) of the UK GDPR. The lack of such documentation also contributed

      to the Central YMCA failing to process personal data in a manner that
      ensured appropriate security of the personal data, including protection

      against unauthorised or unlawful processing, using appropriate technical

      or organisational measures, as required by Article 5(1)(f) of the UK GDPR.

      It also meant that the Central YMCA had not assessed the appropriate


                                     17      level of security with regard to the risks of its data processing, particularly

      here in respect of the unauthorised disclosure of an individual's special

      category data to other participants in the Programme, as required by
      Article 32(2) of the UK GDPR.



            (2) inappropriately relying on the use of BCC to send group

            emails


52.   As the Commissioner refers to above, the lack of a documented policy

      meant that whilst the Programme co-ordinator believed that they were
      acting in an appropriate way, following the verbal policy to use BCC, this

      was an inappropriately insecure method of doing so. This is because it

      relies on the individual sending the email to ensure that it goes in the BCC

      field and not, as happened here, in the CC field, thus exposing individuals'

      special category data.


53.   The Central YMCA had the financial and organisational means to

      implement BrotherMailer in the Programme team but failed to do so. As

      the Central YMCA procured the BrotherMailer tool for use elsewhere in the

      Central YMCA, it can be inferred that parts of the Central YMCA knew that

      reliance on sending emails by BCC was inappropriate, but that this
      knowledge,   the   process  and   the   tool were   not   appropriately

      communicated throughout the Central YMCA.



54.   If the Central YMCA had used BrotherMailer it would also have likely

      safeguarded the personal data from inappropriate disclosure.


            (3) not providing data protection training specific to

            employee roles and levels of access to personal data



                                     1855.   The Central YMCA told the Commissioner that the Programme co-

      ordinator had been initially a self-employed contractor in a different team.

      They had not completed data protection training and it had been the
      Central YMCA's policy to provide training only to employees.



56.   This changed in March 2022, but as the Commissioner notes below in

      point 5, the Programme co-ordinator still did not take the training.


57.   The Central YMCA used a training partner called Bob's Business Ltd. The

      Central YMCA provided copies of this training to the Commissioner during

      the investigation. It included sections on the sending of group emails, but

      it also stated (despite what the Central YMCA said about there being no

      written policy) that individuals should use BCC when sending to multiple

      contacts.


58.   Whilst completion of that training may have reduced the risk of the

      inappropriate disclosure, BCC is still a high risk method of sending emails

      and hence the training would not have eliminated the risk of human error.


59.   The training did not highlight the increased risks when processing special

      category data, nor did it bring attendees' attention to the fact that there

      was within the Central YMCA the BrotherMailer platform available which

      would have provided an appropriately secure alternative method to send

      emails.


60.   The Commissioner expected the Central YMCA to provide role specific

      data protection training, at a sufficient quality to ensure that data

      protection is understood, and proportionate to the individual's level of

      access to, and sensitivity of, personal data.


                                       19            (4) a lack of awareness of data protection legislation within

            some parts of the organisation


61.   The Commissioner noted in its investigation that there is evidence of a

      lack of awareness of data protection legislation in the Programme team.

      For example, they did not initially understand the seriousness of the

      breach, referring to a "possible breach" when reporting it, and stating that
      the email "contained no private information".



            (5) not effectively monitoring completion of data protection

            training



62.   The Programme co-ordinator had not completed data protection training
      prior to the data breach. At the relevant time, 73% of workers at the

      Central YMCA had completed the relevant training module.



63.   Before the Programme co-ordinator moved to a fixed term contract in

      2022, they were signed up to certain induction modules, including data
      protection training. They did not complete this training, nor did they do

      so when training was required for self-employed contractors. A process

      was in place for line managers to ensure induction checklists were

      completed, but there was no central oversight. A reporting mechanism

      was in place to assess non-completion, but this did not work either.


64.   The Commissioner expected the Central YMCA to monitor training

      effectively and ensure that mandatory training was completed, in line with

      the Central YMCA's policies.




                                      20Factors relevant to whether a penalty is appropriate, and if so, the

amount of the penalty


65.   The Commissioner has considered the factors set out in Article 83(2) of

      the UK GDPR in deciding whether to issue a penalty. For the reasons given

      below, he is satisfied that: (i) the contraventions are sufficiently serious

      to justify issuing a penalty in addition to exercising his corrective powers;

      and (ii) the contraventions are serious enough to justify a significant fine.


(a)   the nature, gravity and duration of the infringement taking into

account the nature, scope or purpose of the processing concerned as

well as the number of data subjects affected and the level of damage

suffered by them


Nature:


66.   As the Commissioner sets out above, this was a disclosure of special

      category data in circumstances where confidentiality was expected, and

      the Central YMCA had not taken appropriate actions to appropriately

      secure the special category data. The Central YMCA had intended to use
      BCC which is not appropriately secure, and the Programme co-ordinator

      then used CC which was not secure.



67.   The Commissioner's investigation into the incident revealed multiple

      infringements of the UK GDPR as set out in paragraphs 41 to 64 above.

      In particular, the Commissioner found breaches of Article 5(1)(f) and
      32(1) and (2) due to: no written policy being in place for the sending of

      group emails; the email marketing platform not being used hence CC

      being used by mistake; not effectively monitoring the completion of data

      protection training; and deficiencies within that training itself.

                                     21Gravity:


68.   The contravention is serious, in particular having regard to the sensitivity

      of the personal data processed by the Central YMCA.



69.   In addition, the Commissioner takes account of the risks to data subjects

      that arise from the loss of control and disclosure of what they considered
      and expected to be confidential special category data, as it was special

      category data for 166 data subjects given that a positive HIV diagnosis

      can be inferred with a reasonable degree of certainty.




Number of data subjects



70.   The number of data subjects is 166, as set out above at paragraph 69.


Duration



71.   The Commissioner considers that the contraventions relating to Articles

      5(1)(f) and 32(1) of the UK GDPR were from 6 October 2022 at 15:34
      BST when the breach occurred. It was not until 10 October 2022 that the

      individuals on the affected mailing list were emailed to advise of the

      breach.



(b)   the intentional or negligent character of the infringement



72.   The Commissioner considers that the infringement was negligent for the

      reasons set out in paragraphs 66 to 69 above.


                                     22(c)   any action taken by the controller or processor to mitigate the

damage suffered by data subjects


73.   The Central YMCA complied with Article 34 of the UK GDPR to notify data

      subjects of the personal data breach, but this took from 6 October to 10

      October to do so.


74.   The Central YMCA also implemented short and longer term remedial

      measures, including an attempted email recall which was ineffective,

      immediate breach reporting to the Central YMCA DPO and feedback to the

      staff involved about the approach they had taken being ineffective.



(d)   the degree of responsibility of the controller or processor taking
into account technical and organisational measures implemented by

them pursuant to Articles 25 and 32





75.   Article 32 of the UK GDPR requires organisations to implement
      appropriate technical and organisational measures to ensure a level of

      security appropriate to the risks presented by their processing; to include

      the potential impacts these risks may have on the rights and freedoms of

      natural persons.



76.   More specifically, Article 32(1)(b) of the UK GDPR requires organisations
      to implement measures that ensure the ongoing confidentiality, integrity,

      availability and resilience of their processing systems and services.


77.   The Commissioner is satisfied that for the reasons set out in the

      paragraphs above that the Central YMCA did not have sufficient measures

                                     23     in place to ensure the ongoing integrity and resilience of processing

     systems and services in line with Articles 5(1)(f) and 32(1).


(e)  any   relevant  previous   infringements   by   the  controller  or

processor



78.  The Commissioner has not identified any relevant previous infringements
     by the Central YMCA.



(f)  the degree of cooperation with the supervisory authority, in order

to remedy the infringement and mitigate the possible adverse effects

of the infringement


79.  The Central YMCA fully cooperated with the Commissioner's investigation.



(g)  the categories of personal data affected by the infringement


80.  The categories of personal data affected is set out above at paragraphs

     33 to 37.


(h)  the manner in which the infringement became known to the

supervisory authority, in particular whether, and if so to what extent,

the controller or processor notified the infringement



81.  The Central YMCA self-reported the personal data breach to the

     Commissioner within 72 hours of becoming aware of the incident.


(i)  where measures referred to in Article 58(2) have previously been

ordered against the controller or processor concerned with regard to

the same subject-matter, compliance with those measures;

                                   2482.   Not applicable.


(j)   adherence to approved codes of conduct pursuant to Article 40 or

approved certification mechanisms pursuant to Article 42;



83.   Not applicable.


(k)   any other aggravating or mitigating factor applicable to the

circumstances of the case, such as financial benefits gained, or losses

avoided, directly or indirectly, from the infringement.



84.   The Commissioner has considered the following aggravating factors in

      this case:
         a. Not applicable.



85.   The Commissioner took into account the following mitigating factors:

         a. Not applicable.




Summary and Penalty


86.   For the reasons set out above, the Commissioner has decided to impose

      a financial penalty on the Central YMCA. Taken together the findings

      above concerning the infringement, its likely impact, and the fact that the

      Central  YMCA   failed  to comply   with   its GDPR   obligations,  the

      Commissioner has decided to apply an effective, dissuasive and
      proportionate penalty reflecting the seriousness of the breach which has

      occurred.



                                     25Calculation of Penalty



87.   The Commissioner considers that imposition of a financial penalty would

      be an effective and proportionate action to ensure future compliance.



88.   Following the Five Step process set out in the RAP the calculation of the
      proposed penalty is as follows.



89.   Step 1: An initial element removing any financial gain from the breach.

      There was no evidence of financial gain from the breach.



90.   Step 2: Adding in an element to censure the breach based on its scale
      and severity, taking into account the considerations identified at section

      155(2)-(4) DPA. This refers to and repeats the matters listed in Article

      83(1) and (2) as set out above. The details are set out above and the

      conclusion at step 2, taking into account: (a) the matters set out above

      at paragraphs 65 to 83, (b) the matters referred to in this section and (c)
      the need to apply an effective proportionate and dissuasive fine the

      Commissioner considers that a penalty of £300,000 would be appropriate

      before adjustment in accordance with Steps 3-5 below. This amount is

      considered appropriate to reflect the seriousness of the breach and takes

      into account in particular the need for the penalty to be effective,

      proportionate and dissuasive.


91.   Step 3: Adding in an element to reflect and aggravating factors (Article

      83(2)(k)). The Commissioner considered that there were no additional

      factors relevant to the setting of the penalty were addressed during Step

      2.



                                       2692.   Step 4: Adding an amount for deterrent effect to others. The

      Commissioner considered that the factors relevant to the setting of the

      penalty were addressed during Step 2.


93.   Step 5: Reducing the amount to reflect any mitigating factors including

      ability to pay. The Commissioner does not believe that there are any

      mitigating factors relevant to step 5 even though new procedures have

      been implemented and better training and written policies have been
      applied. The Commissioner expects any organisation to have these in

      place as a matter of course. However, taking into account the

      Commissioner's current policy and its action on previous cases, the

      Commissioner reduced the value of the fine to £7,500.



The amount of the penalty


94.   For the reasons explained above, the Commissioner is satisfied that the
      conditions from the factors set out in Article 83(2) of the UK GDPR have

      been met in this case and that he has adopted fair procedure. The latter

      has included issuing a Notice of Intent, in which the Commissioner set out

      his preliminary thinking. The Central YMCA had the opportunity to make

      written representations in response to the Notice of Intent but instead
      has decided to accept the Notice of Intent and the Commissioner's

      findings.



95.   In making his decision, the Commissioner has also had regard to the

      factors set out in s108(2)(b) of the Deregulation Act 2015; including: the

      nature and level of risks associated with non-compliance, including the
      risks to economic growth; the steps taken by the business to achieve

      compliance and reasons for its failure; the willingness and ability of the

      business to address non-compliance; the likely impact of the proposed

                                      27      intervention on the business, and the likely impact of the proposed

      intervention on the wider business community, both in terms of deterring

      non-compliance and economic benefits to legitimate businesses.


96.   Taking into account all of the factors set out above, the Commissioner

      has decided to impose a penalty on the Central YMCA of £7,500 (seven

      thousand and five hundred pounds).





Conclusion


97.   The monetary penalty must be paid to the Commissioner's office by BACS

      transfer or cheque by 3 April 2024 at the latest. The monetary penalty

      is not kept by the Commissioner but will be paid into the Consolidated

      Fund which is the Government's general bank account at the Bank of
      England.



98.   There is a right of appeal to the First-tier Tribunal (Information Rights)

      against:

         a) The imposition of the penalty; and/or,
         b) The amount of the penalty specified in the penalty notice



99.   Any notice of appeal should be received by the Tribunal within 28 days of

      the date of this penalty notice.



100. The Commissioner will not take action to enforce a penalty unless:
        the period specified within the notice within which a penalty must be

         paid has expired and all or any of the penalty has not been paid;




                                      28        all relevant appeals against the penalty notice and any variation of it

         have either been decided or withdrawn; and

        the period for appealing against the penalty and any variation of it has
         expired



101. In England, Wales and Northern Ireland, the penalty is recoverable by

      Order of the County Court or the High Court. In Scotland, the penalty can

      be enforced in the same manner as an extract registered decree arbitral
      bearing a warrant for execution issued by the sheriff court of any

      sheriffdom in Scotland.



102. Your attention is drawn to Annex 1 to this Notice, which sets out details

      of your rights of appeal under s.162 DPA 2018.


Dated the 6th day of March 2024













Anthony Luhman
Temporary Director of Investigations
Information Commissioner’s Office
Wycliffe House

Water Lane
Wilmslow
Cheshire
SK9 5AF






                                      29    ANNEX 1



           Rights of appeal against decisions of the Commissioner


1.    Section 162 of the Data Protection Act 2018 gives any person upon

      whom a penalty notice or variation notice has been served a right

      of appeal to the First-tier Tribunal (Information Rights) (the
      Tribunal') against the notice.



2.    If you decide to appeal and if the Tribunal considers:-





          a)    that the notice against which the appeal is brought is
                not in accordance with the law; or



          b)    to the extent that the notice involved an exercise of

                discretion by the Commissioner, that she ought to have

                exercised her discretion differently


      the Tribunal will allow the appeal or substitute such other decision

      as could have been made by the Commissioner. In any other case

      the Tribunal will dismiss the appeal.



3.    You may bring an appeal by serving a notice of appeal on the
      Tribunal at the following address:

                GRC & GRP Tribunals
                PO Box 9300

                Arnhem House
                31 Waterloo Way
                Leicester
                LE1 8DJ


                                           30                Telephone: 0203 936 8963
                Email: grc@justice.gov.uk


          a)    The notice of appeal should be sent so it is received

                by the Tribunal within 28 days of the date of the

                notice.


          b)    If your notice of appeal is late the Tribunal will not

                admit it unless the Tribunal has extended the time for

                complying with this rule.



4.    The notice of appeal should state:-


      a)    your name and address/name and address of your representative (if

            any);

      b)    an address where documents may be sent or delivered to you;

      c)    the name and address of the Information Commissioner;

      d)    details of the decision to which the proceedings relate;
      e)    the result that you are seeking;

      f)    the grounds on which you rely;

      g)    you must provide with the notice of appeal a copy of the penalty

            notice or variation notice;

      h)    if you have exceeded the time limit mentioned above the notice of

            appeal must include a request for an extension of time and the
            reason why the notice of appeal was not provided in time.



5.    Before deciding whether or not to appeal you may wish to consult your

      solicitor or another adviser. At the hearing of an appeal a party may

      conduct his case himself or may be represented by any person whom he
      may appoint for that purpose.


                                          316.    The statutory provisions concerning appeals to the First-tier Tribunal

      (General Regulatory Chamber) are contained in sections 162 and 163 of,
      and Schedule 16 to, the Data Protection Act 2018, and Tribunal

      Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009

      (Statutory Instrument 2009 No. 1976 (L.20)).












































                                         32