ICO (UK) - The Central Young Men’s Christian Association
From GDPRhub
| ICO - The Central Young Men’s Christian Association | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR UK GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 14.12.2022 |
| Decided: | 30.04.2024 |
| Published: | |
| Fine: | 7,500 GBP |
| Parties: | The Central Young Men’s Christian Association (Central YMCA) |
| National Case Number/Name: | The Central Young Men’s Christian Association |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | lm |
The DPA imposed a €8,730 (£7,500) fine on the YMCA for violating UK GDPR security obligations by sending an email directed to HIV-positive individuals using CC instead of BCC, and noted that the use of BCC was a high-risk practice due to human error.
English Summary
Facts
The Central Young Men’s Christian Association (the controller) offers a Positive Health Programme (Programme), which is an exercise scheme for people living with HIV. As part of the Programme, the Central YMCA collects special categories of data including referrals, dates of HIV diagnosis, medications taken, medical statistics, referring hospitals or clinicians and other medical history.
On 6 October 2022, a coordinator of the Programme sent an email to a mailing list of 270 recipients. The recipients were entered into the carbon copy (CC) function rather than the blind carbon copy (BCC) function, revealing the email addresses of all 270 recipients. The controller became aware of the breach the following day upon receiving complaints from affected data subjects. Upon realising the error, the coordinator attempted to unsend the email, but unintentionally sent a second email to all 270 recipients with the email addresses again entered in the CC function. Accounting for duplicates, 264 email addresses were disclosed in the breach, of which 115 had clear names and 51 had partial names that made them potentially identifiable. Thus, 166 data subjects were affected by the breach.
The controller reported the breach to the Information Commissioner’s Office (ICO) on 7 October 2022. On 10 October 2022, the controller notified the affected data subjects, took accountability of its error and informed data subjects of the steps it was taking.
At the time of the breach, the controller had a verbally communicated policy that the Programme staff should send event invitations using the BCC function. The controller had access to an email marketing tool which would permit for the sending of individual emails to each recipient, but it did not use this tool in sending emails relating to the Programme.
The controller waived its opportunity to respond to the ICO’s Notice of Intent and instead accepted the Notice and the ICO’s findings. It took remedial steps, conducting an audit of how external communications were being undertaken across the organisation and issuing new procedures to provide appropriate guidance on sending secure emails. The controller also updated its data protection training.
Holding
The ICO found that the controller violated Articles 5(1)(f) and 32 UK GDPR. It issued a monetary penalty of €8,730 (£7,500) as well as a reprimand. The ICO found that the breach resulted from serious deficiencies in the controller’s technical and organizational measures, demonstrating violations of Articles 5(1)(f) and 32 UK GDPR.
First, the controller had access to an email marketing platform which would have reduced the likelihood of an inappropriate disclosure. However, it failed to use this tool for Programme emails even though it had the financial and organizational means to do so. The use of BCC sending instead was a high-risk method of sending emails due to human error. Given this risk, the ICO considered it irrelevant whether or not the policy requiring this practice was written down.
Second, the controller did not provide data protection training specific to employee roles or levels of access to personal data. In this case, the coordinator was a self-employed contractor. The controller’s policy had been to provide training only to employees, and the coordinator had thus not completed any data protection training. Even after the policy changed and training was extended to contractors, the coordinator was still not trained.
Third, the controller did not effectively monitor completion of data protection training. At the time of the investigation, 27% of the controller’s workers – including the coordinator who sent the incident email – had not completed the data protection training.
Finally, the controller’s data protection training was deficient. The ICO found considerable lack of awareness concerning data protection legislation within some parts of the organisation; for example, employees initially did not consider the breach a concern because the email contained no private information.
Initially, the ICO considered that a penalty of €349,000 (£300,000) would be appropriate to reflect the seriousness of the breach. However, taking into account the ICO’s action on previous cases and new policy on imposing monetary penalties, the ICO reduced the fine to €8,730. In calculating the penalty, the ICO took account of the controller’s four-day delay in notifying data subjects of the breach, negligence causing the infringement, remedial measures taken, responsibility of for the breach’s occurrence, lack of previous infringements, cooperation with the ICO and the high sensitivity of the data. Given that the emails were clearly directed at individuals with HIV, the ICO determined that the incident involved a special category of data or at the least carried a risk of inference that may be considered sensitive. It considered the violation serious due to the sensitivity of the personal data involved.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 (PART 6, SECTION 155)
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
TO: The Central Young Men’s Christian Association ("the Central YMCA")
OF: 112 Great Russell Street, London WC1B 3NQ.
Introduction and Summary
1. The Information Commissioner ("the Commissioner") has decided to issue
the Central YMCA with a monetary penalty under section 155 of the Data
Protection Act 2018 (“the DPA”). The penalty notice imposes an
administrative fine on the Central YMCA, in accordance with the
Commissioner's powers under Article 83 of the General Data Protection
Regulation 2016 (the "UK GDPR"). The amount of the penalty is £7,500
(seven thousand five hundred pounds).
2. The penalty is in relation to contraventions of Articles 5(1)(f) and 32(1)
and (2) of the UK GDPR and an incident on 6 October 2022 (the “relevant
date”) affecting personal data processed by the Central YMCA on the
relevant date.
3. For the reasons set out in this Monetary Penalty Notice, the Commissioner
has found that the Central YMCA failed to ensure appropriate security of
1 personal data in its control by implementing appropriate technical and
organisational measures and appropriate policies and procedures, as
required by Article 5(1)(f) and Article 32(1) of the UK GDPR.
4. This Monetary Penalty Notice explains the Commissioner's decision,
including the Commissioner's reasons for issuing the penalty and for the
amount of the penalty. The Central YMCA has had an opportunity to make
representations to the Commissioner in response to the Notice of Intent
regarding this penalty. Instead of making representations the Central
YMCA has decided to accept the Notice of Intent and the Commissioner’s
findings.
Legal Framework
Obligations of the Controller
5. The Central YMCA is a controller for the purposes of the UK GDPR and the
DPA, because it determines the purposes and means of processing of
personal data (UK GDPR Article 4(7)).
6. “Personal data” is defined by Article 4(1) of the UK GDPR to mean:
“information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data,
an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity
of that natural person.”
27. “Processing” is defined by Article 4(2) of the UK GDPR to mean:
“any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated
means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or
destruction”
8. Article 9 of the UK GDPR prohibits the processing of “special categories of
personal data” unless certain conditions are met. The special categories
of personal data subject to Article 9 include:
“personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and
the processing of genetic data, bio-metric data for the purpose of
uniquely identifying a natural person, data concerning health or
data concerning a natural person’s sex life or sexual orientation”.
9. Controllers are subject to various obligations in relation to the processing
of personal data, as set out in the UK GDPR and the DPA. They are obliged
by Article 5(2) to adhere to the data processing principles set out in Article
5(1) of the UK GDPR. Article 5(2) makes clear that the “controller shall
be responsible for, and be able to demonstrate compliance with,
paragraph 1 ('accountability')".
10. In particular, controllers are required to implement appropriate technical
and organisational measures to ensure that their processing of personal
3 data is secure, and to enable them to demonstrate that their processing
is secure. Article 5(1)(f) ("Integrity and Confidentiality") stipulates that:
“Personal data shall be […] processed in a manner that ensures
appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organisational measures”.
11. Article 32 of the UK GDPR also provides that:
“1. Taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk,
including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical
incident;
(d) a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for
ensuring the security of the processing.
4 2. In assessing the appropriate level of security account shall be
taken in particular of the risks that are presented by processing,
in particular from accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to personal data
transmitted, stored or otherwise processed."
The C ommissioner’s Powers of Enforcement
12. The Commissioner is the supervisory authority for the UK, as provided for
by Article 51 of the UK GDPR.
13. By Article 57(1) of the UK GDPR, it is the Commissioner’s task to monitor
and enforce the application of the UK GDPR.
14. By Article 58(2)(d) of the UK GDPR the Commissioner has the power to
notify controllers of alleged infringements of the UK GDPR. By Article
58(2)(i) he has the power to impose an administrative fine, in accordance
with Article 83, in addition to or instead of the other corrective measures
referred to in Article 58(2), depending on the circumstances of each
individual case.
15. By Article 83(1), the Commissioner is required to ensure that
administrative fines issued in accordance with Article 83 are effective,
proportionate, and dissuasive in each individual case. Article 83(2) goes
on to provide that:
“When deciding whether to impose an administrative fine and
deciding on the amount of the administrative fine in each individual
case due regard shall be given to the following:
5(a) the nature, gravity and duration of the infringement
taking into account the nature scope or purpose of the
processing concerned as well as the number of data subjects
affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate
the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor
taking into account technical and organisational measures
implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or
processor;
(f) the degree of cooperation with the supervisory authority,
in order to remedy the infringement and mitigate the possible
adverse effects of the infringement;
(g) the categories of personal data affected by the
infringement;
(h) the manner in which the infringement became known to
the supervisory authority, in particular whether, and if so to
what extent, the controller or processor notified the
infringement;
6 (i) where measures referred to in Article 58(2) have
previously been ordered against the controller or processor
concerned with regard to the same subject-matter,
compliance with those measures;
(j) adherence to approved codes of conduct pursuant to
Article 40 or approved certification mechanisms pursuant to
Article 42; and
(k) any other aggravating or mitigating factor applicable to
the circumstances of the case, such as financial benefits
gained, or losses avoided, directly or indirectly, from the
infringement.”
16. Article 83(5) UK GDPR provides, inter alia, that infringements of the
obligations imposed by Article 5 UK GDPR on the controller and processor
will, in accordance with Article 83(2), be subject to administrative fines
of up to €20 million or, in the case of an undertaking, up to 4% of its total
worldwide annual turnover of the preceding financial year, whichever is
higher.
17. The DPA contains enforcement provisions in Part 6 which are exercisable
by the Commissioner. 1 Section 155 of the DPA sets out the matters to
which the Commissioner must have regard when deciding whether to
issue a penalty notice and when determining the amount of the penalty
and provides that:
1Section 115 DPA establishes that the Commissioner is the UK's supervisory authority for the purposes
of the UK GDPR.
7 “(1) If the Commissioner is satisfied that a person—
(a) has failed or is failing as described in section 149(2) …,
the Commissioner may, by written notice (a "penalty notice"),
require the person to pay to the Commissioner an amount in
sterling specified in the notice.
(2) Subject to subsection (4), when deciding whether to give a
penalty notice to a person and determining the amount of the
penalty, the Commissioner must have regard to the following, so
far as relevant—
(a) to the extent that the notice concerns a matter to which
the GDPR applies, the matters listed in Article 83(1) and (2)
of the UK GDPR.”
18. The failures identified in section 149(2) DPA are, insofar as relevant here:
“(2) The first type of failure is where a controller or processor has
failed, or is failing, to comply with any of the following—
(a) a provision of Chapter II of the UK GDPR or Chapter 2 of
Part 3 or Chapter 2 of Part 4 of this Act (principles of
processing);
…;
8 (c) a provision of Articles 25 to 39 of the UK GDPR or section
64 or 65 of this Act (obligations of controllers and processors)
[…]”
19. Schedule 16 includes provisions relevant to the imposition of penalties.
Paragraph 2 makes provision for the issuing of notices of intent to impose
a penalty, as follows:
“(1) Before giving a person a penalty notice, the Commissioner
must, by written notice (a "notice of intent") inform the person that
the Commissioner intends to give a penalty notice.”
The Commissioner's Regulatory Action Policy
20. Pursuant to section 160(1) DPA, the Commissioner published his
Regulatory Action Policy ("RAP”) on 7 November 2018.
21. The process the Commissioner will follow in deciding the appropriate
amount of a penalty to be imposed is described in the RAP from page 27
onwards. In particular, the RAP sets out the following five-step process:
a. Step 1. An ‘initial element’ removing any financial gain from the
breach.
b. Step 2. Adding in an element to censure the breach based on its
scale and severity, taking into account the considerations identified
at section 155(2) - (4) DPA.
9 c. Step 3. Adding in an element to reflect any aggravating factors. A
list of aggravating factors which the Commissioner would take into
account, where relevant, is provided at page 11 of the RAP. This
list is intended to be indicative, not exhaustive.
d. Step 4. Adding in an amount for deterrent effect to others.
e. Step 5. Reducing the amount (save that in the initial element) to
reflect any mitigating factors, including ability to pay (financial
hardship). A list of mitigating factors which the Commissioner would
take into account, where relevant, is provided at page 11-12 of the
RAP. This list is intended to be indicative, not exhaustive.
Circumstances of the Failure: Facts
General Background
22. This Penalty Notice does not purport to identify exhaustively each and
every circumstance and document relevant to the Commissioner’s
investigation. The circumstances and documents identified below are a
proportionate summary.
23. The Central YMCA is an education and wellbeing charity registered as a
data controller with the Information Commissioner's Office (the "ICO"). It
provides a number of community programmes, one of which is the
Positive Health Programme.
1024. The Positive Health Programme ("Programme") is run by the Positive
Health team as part of YMCA Club. YMCA Club is a large gym facility,
which is part of the Central YMCA.
25. The Programme is an exercise scheme for people living with HIV. As part
of the Programme, the Central YMCA collects special category data (the
aims of referral to the Programme, the date of HIV diagnosis, the
medication taken, the individual's medical statistics, other medical history
and their referring clinician/hospital).
26. On 6 October 2022 at approximately 15:34 BST, a co-ordinator for the
Programme sent an email to a mailing list of 270 recipients, inviting them
to a talk about nutrition.
27. The Programme co-ordinator used an email programme (Microsoft
Outlook) to send the email. At the relevant date, the Central YMCA had a
verbally communicated policy that the Programme team should send
event invitations via Microsoft Outlook using the blind carbon copy
(“BCC”) function.
28. The co-ordinator unfortunately included those email addresses in the
carbon copy (“CC”) function, thus revealing all of the email addresses to
all 270 recipients.
29. The day after, on realising the error, the co-ordinator used the recall
function within Microsoft Outlook to try and recall the email sent. This
however led to another email to all 270 recipients. It was the Programme
team's belief that this would remove the original message from the
recipients' inboxes.
11The number of data subjects involved
30. Whilst the emails had been sent to 270 recipients, there were duplicates,
so they were sent to 264 unique email addresses.
31. The emails were not delivered to 9 of those email addresses, so the emails
were delivered to 255 recipients, disclosing 264 email addresses.
32. The Central YMCA then assessed that 115 of those had clear names in
them, and a further 51 contained at least part of a name, making them
potentially identifiable. Therefore 166 data subjects were affected by the
breach, all of whom are in the Programme.
The nature of the personal data and special category data disclosed
33. As part of its guidance and resources relating to UK GDPR, the
Commissioner has produced detailed guidance in relation to special
category data. The guidance includes a sub-section titled 'What is special
category data?' which establishes that special category data is not just
personal data which specifies relevant details but also personal data
"revealing or concerning" those details. The test to be met is whether the
relevant information can be inferred with a reasonable degree of
certainty, and if so, it is likely to be special category data.
34. As well as the disclosure of 166 email addresses containing personal data,
the context of the email was the Programme. The invite to the event for
nutrition guidance to individuals meant that it can be reasonably assumed
that the recipients of the email would be aware that the Programme is
directed at individuals with HIV. If the recipients were not part of the
12 Programme, they could find out what the Programme was on the Central
YMCA's website.
35. Recipients of the email can therefore infer from its contents that the 166
individuals whose email addresses were disclosed in the breach were
likely to be living with HIV, meaning that the disclosed personal data
included health data, which in turn is special category data under Article
9(1) of the UK GDPR.
36. The Central YMCA had also set expectations of privacy in its Programme,
and that some members of the Programme may have wished to remain
anonymous, even to other members of the Programme, whilst noting that
"all recipients are assumed to have an HIV positive diagnosis".
37. Even if the personal data was not considered to be special category data,
there are particular sensitivities regarding the personal data being
processed in the Programme, which the Central YMCA should have
considered and taken a cautious approach when processing it, as set out
in the Commissioner's guidance referred to in paragraph 33:
"If you think the data carries a risk of inferences that might be
considered sensitive or private, even if this falls short of revealing
something about one of the special categories with any level of
certainty, then you should also carefully consider fairness issues
and whether there is anything more you can do to minimise privacy
risks."
Discovery of the breach, reporting to the Commissioner and
communications to data subjects
1338. The Central YMCA became aware of the breach on the morning after the
email was sent, as a result of complaints received from recipients.
39. The YMCA Club informed the Central YMCA's Data Protection Officer (DPO)
later that morning, with a breach report being made to the ICO that
evening. This was in line with Article 33 of the UK GDPR and within the
72 hour period.
40. In accordance with Article 34 of the UK GDPR the Central YMCA notified
affected data subjects on 10 October 2022, setting out the cause of the
breach, took accountability for the error and informed data subjects of
the steps the Central YMCA were taking, including reporting the incident
to the ICO and conducting an internal review. The data controller provided
the DPO’s contact details for anyone affected to ask questions or to
discuss how the breach had affected them.
The Commissioner’s Investigation
41. The Commissioner first wrote to the Central YMCA on 14 December 2022
asking for further information in relation to the actions the Central YMCA
had taken following the data breach notification it had made on 7 October
2022. During the period between February 2023 and April 2023,
subsequent enquiries were raised by the Commissioner seeking additional
information from the Central YMCA.
42. The Commissioner's investigation found four key areas where the Central
YMCA failed to take reasonable steps to prevent this breach:
a. The Central YMCA had no written policy in place regarding the
sending of group emails,
14 b. The Central YMCA had access to an email marketing platform (and
the use of this platform would have reduced the likelihood of an
inappropriate disclosure) however the Central YMCA did not use it
in this case,
c. The Central YMCA failed to effectively monitor completion of data
protection training, and
d. There is evidence of deficiencies within the Central YMCA's data
protection training.
The Contraventions of Articles of 5 (1)(f) and 32 (1) and (2) of the UK
GDPR
43. The Commissioner has considered whether the facts set out above
constitute a contravention of the data protection legislation.
44. For the reasons set out below, the Commissioner has taken the view from
his investigation that this breach occurred as a result of serious
deficiencies in the technical and organisational measures implemented by
the Central YMCA.
45. For the reasons set out below, and having carefully considered the
information provided by the Central YMCA, the Commissioner's view is
that the Central YMCA failed to comply with Articles 5 (1)(f) and 32(1)
and (2) of the UK GDPR.
Article 5 (1)(f) and 32(1) and (2) of the UK GDPR
1546. The Commissioner finds that the Central YMCA has failed to comply with
the requirements of Article 5(1)(f) of the UK GDPR, including to process
personal data "in a manner that ensures appropriate security of the data,
including protection against unauthorised or unlawful processing, using
appropriate technical or organisational measures". In making this
determination, the Commissioner takes into account the Central YMCA's
failure to comply with Articles 32(1), 32(1)(a), 32(1)(b) and 32(2) of the
UK GDPR, which was demonstrated by the Central YMCA's failure to
implement appropriate technical and organisational measures:
a. not having a relevant written policy or procedure in place;
b. inappropriately relying on the use of BCC to send group emails;
c. not providing data protection training specific to employee roles and
levels of access to personal data;
d. a lack of awareness of data protection legislation within some parts
of the organisation; and
e. not effectively monitoring completion of data protection training.
(1) not having a relevant written policy or procedure
47. At the time of the security incident, the Central YMCA did not have
sufficient written information security policies or procedures to prevent
this breach. It only had a verbal policy to use BCC in emails, both of which
are insufficient and not appropriate for managing special category data.
It also communicated relatively frequently using this method.
48. Another part of the Central YMCA (the Communications and Marketing
team) had an email marketing tool, BrotherMailer, which could have been
used to mitigate this risk and handle the special category data
16 appropriately, by sending individual emails to each recipient. However,
the Central YMCA did not know that the Programme was sending emails
of this nature.
49. Relevant industry standards and guidance, including ISO27001, NIST
Cyber Security Framework, and the ICO and National Cyber Security
Centre co-published guidance, "GDPR Security Outcomes", establish that
organisations should have written security policies and procedures in
place.
50. ISO27001 recommends that: “A set of policies for information security
shall be defined, approved by management, published and communicated
to employees and relevant external parties”. The NIST Cyber Security
Framework requires that an: “Organizational cybersecurity policy is
established and communicated”, and the GDPR Security Outcomes sets
out that to protect personal data against cyber-attacks organisations
should "define, implement, communicate and enforce appropriate policies
and processes that direct your overall approach to securing systems
involved in the processing of personal data".
51. It is the Commissioner's view that the lack of documented and
appropriate security policies and procedures to deal with the sending of
emails with special category data was in non-compliance with Article
32(1) of the UK GDPR. The lack of such documentation also contributed
to the Central YMCA failing to process personal data in a manner that
ensured appropriate security of the personal data, including protection
against unauthorised or unlawful processing, using appropriate technical
or organisational measures, as required by Article 5(1)(f) of the UK GDPR.
It also meant that the Central YMCA had not assessed the appropriate
17 level of security with regard to the risks of its data processing, particularly
here in respect of the unauthorised disclosure of an individual's special
category data to other participants in the Programme, as required by
Article 32(2) of the UK GDPR.
(2) inappropriately relying on the use of BCC to send group
emails
52. As the Commissioner refers to above, the lack of a documented policy
meant that whilst the Programme co-ordinator believed that they were
acting in an appropriate way, following the verbal policy to use BCC, this
was an inappropriately insecure method of doing so. This is because it
relies on the individual sending the email to ensure that it goes in the BCC
field and not, as happened here, in the CC field, thus exposing individuals'
special category data.
53. The Central YMCA had the financial and organisational means to
implement BrotherMailer in the Programme team but failed to do so. As
the Central YMCA procured the BrotherMailer tool for use elsewhere in the
Central YMCA, it can be inferred that parts of the Central YMCA knew that
reliance on sending emails by BCC was inappropriate, but that this
knowledge, the process and the tool were not appropriately
communicated throughout the Central YMCA.
54. If the Central YMCA had used BrotherMailer it would also have likely
safeguarded the personal data from inappropriate disclosure.
(3) not providing data protection training specific to
employee roles and levels of access to personal data
1855. The Central YMCA told the Commissioner that the Programme co-
ordinator had been initially a self-employed contractor in a different team.
They had not completed data protection training and it had been the
Central YMCA's policy to provide training only to employees.
56. This changed in March 2022, but as the Commissioner notes below in
point 5, the Programme co-ordinator still did not take the training.
57. The Central YMCA used a training partner called Bob's Business Ltd. The
Central YMCA provided copies of this training to the Commissioner during
the investigation. It included sections on the sending of group emails, but
it also stated (despite what the Central YMCA said about there being no
written policy) that individuals should use BCC when sending to multiple
contacts.
58. Whilst completion of that training may have reduced the risk of the
inappropriate disclosure, BCC is still a high risk method of sending emails
and hence the training would not have eliminated the risk of human error.
59. The training did not highlight the increased risks when processing special
category data, nor did it bring attendees' attention to the fact that there
was within the Central YMCA the BrotherMailer platform available which
would have provided an appropriately secure alternative method to send
emails.
60. The Commissioner expected the Central YMCA to provide role specific
data protection training, at a sufficient quality to ensure that data
protection is understood, and proportionate to the individual's level of
access to, and sensitivity of, personal data.
19 (4) a lack of awareness of data protection legislation within
some parts of the organisation
61. The Commissioner noted in its investigation that there is evidence of a
lack of awareness of data protection legislation in the Programme team.
For example, they did not initially understand the seriousness of the
breach, referring to a "possible breach" when reporting it, and stating that
the email "contained no private information".
(5) not effectively monitoring completion of data protection
training
62. The Programme co-ordinator had not completed data protection training
prior to the data breach. At the relevant time, 73% of workers at the
Central YMCA had completed the relevant training module.
63. Before the Programme co-ordinator moved to a fixed term contract in
2022, they were signed up to certain induction modules, including data
protection training. They did not complete this training, nor did they do
so when training was required for self-employed contractors. A process
was in place for line managers to ensure induction checklists were
completed, but there was no central oversight. A reporting mechanism
was in place to assess non-completion, but this did not work either.
64. The Commissioner expected the Central YMCA to monitor training
effectively and ensure that mandatory training was completed, in line with
the Central YMCA's policies.
20Factors relevant to whether a penalty is appropriate, and if so, the
amount of the penalty
65. The Commissioner has considered the factors set out in Article 83(2) of
the UK GDPR in deciding whether to issue a penalty. For the reasons given
below, he is satisfied that: (i) the contraventions are sufficiently serious
to justify issuing a penalty in addition to exercising his corrective powers;
and (ii) the contraventions are serious enough to justify a significant fine.
(a) the nature, gravity and duration of the infringement taking into
account the nature, scope or purpose of the processing concerned as
well as the number of data subjects affected and the level of damage
suffered by them
Nature:
66. As the Commissioner sets out above, this was a disclosure of special
category data in circumstances where confidentiality was expected, and
the Central YMCA had not taken appropriate actions to appropriately
secure the special category data. The Central YMCA had intended to use
BCC which is not appropriately secure, and the Programme co-ordinator
then used CC which was not secure.
67. The Commissioner's investigation into the incident revealed multiple
infringements of the UK GDPR as set out in paragraphs 41 to 64 above.
In particular, the Commissioner found breaches of Article 5(1)(f) and
32(1) and (2) due to: no written policy being in place for the sending of
group emails; the email marketing platform not being used hence CC
being used by mistake; not effectively monitoring the completion of data
protection training; and deficiencies within that training itself.
21Gravity:
68. The contravention is serious, in particular having regard to the sensitivity
of the personal data processed by the Central YMCA.
69. In addition, the Commissioner takes account of the risks to data subjects
that arise from the loss of control and disclosure of what they considered
and expected to be confidential special category data, as it was special
category data for 166 data subjects given that a positive HIV diagnosis
can be inferred with a reasonable degree of certainty.
Number of data subjects
70. The number of data subjects is 166, as set out above at paragraph 69.
Duration
71. The Commissioner considers that the contraventions relating to Articles
5(1)(f) and 32(1) of the UK GDPR were from 6 October 2022 at 15:34
BST when the breach occurred. It was not until 10 October 2022 that the
individuals on the affected mailing list were emailed to advise of the
breach.
(b) the intentional or negligent character of the infringement
72. The Commissioner considers that the infringement was negligent for the
reasons set out in paragraphs 66 to 69 above.
22(c) any action taken by the controller or processor to mitigate the
damage suffered by data subjects
73. The Central YMCA complied with Article 34 of the UK GDPR to notify data
subjects of the personal data breach, but this took from 6 October to 10
October to do so.
74. The Central YMCA also implemented short and longer term remedial
measures, including an attempted email recall which was ineffective,
immediate breach reporting to the Central YMCA DPO and feedback to the
staff involved about the approach they had taken being ineffective.
(d) the degree of responsibility of the controller or processor taking
into account technical and organisational measures implemented by
them pursuant to Articles 25 and 32
75. Article 32 of the UK GDPR requires organisations to implement
appropriate technical and organisational measures to ensure a level of
security appropriate to the risks presented by their processing; to include
the potential impacts these risks may have on the rights and freedoms of
natural persons.
76. More specifically, Article 32(1)(b) of the UK GDPR requires organisations
to implement measures that ensure the ongoing confidentiality, integrity,
availability and resilience of their processing systems and services.
77. The Commissioner is satisfied that for the reasons set out in the
paragraphs above that the Central YMCA did not have sufficient measures
23 in place to ensure the ongoing integrity and resilience of processing
systems and services in line with Articles 5(1)(f) and 32(1).
(e) any relevant previous infringements by the controller or
processor
78. The Commissioner has not identified any relevant previous infringements
by the Central YMCA.
(f) the degree of cooperation with the supervisory authority, in order
to remedy the infringement and mitigate the possible adverse effects
of the infringement
79. The Central YMCA fully cooperated with the Commissioner's investigation.
(g) the categories of personal data affected by the infringement
80. The categories of personal data affected is set out above at paragraphs
33 to 37.
(h) the manner in which the infringement became known to the
supervisory authority, in particular whether, and if so to what extent,
the controller or processor notified the infringement
81. The Central YMCA self-reported the personal data breach to the
Commissioner within 72 hours of becoming aware of the incident.
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned with regard to
the same subject-matter, compliance with those measures;
2482. Not applicable.
(j) adherence to approved codes of conduct pursuant to Article 40 or
approved certification mechanisms pursuant to Article 42;
83. Not applicable.
(k) any other aggravating or mitigating factor applicable to the
circumstances of the case, such as financial benefits gained, or losses
avoided, directly or indirectly, from the infringement.
84. The Commissioner has considered the following aggravating factors in
this case:
a. Not applicable.
85. The Commissioner took into account the following mitigating factors:
a. Not applicable.
Summary and Penalty
86. For the reasons set out above, the Commissioner has decided to impose
a financial penalty on the Central YMCA. Taken together the findings
above concerning the infringement, its likely impact, and the fact that the
Central YMCA failed to comply with its GDPR obligations, the
Commissioner has decided to apply an effective, dissuasive and
proportionate penalty reflecting the seriousness of the breach which has
occurred.
25Calculation of Penalty
87. The Commissioner considers that imposition of a financial penalty would
be an effective and proportionate action to ensure future compliance.
88. Following the Five Step process set out in the RAP the calculation of the
proposed penalty is as follows.
89. Step 1: An initial element removing any financial gain from the breach.
There was no evidence of financial gain from the breach.
90. Step 2: Adding in an element to censure the breach based on its scale
and severity, taking into account the considerations identified at section
155(2)-(4) DPA. This refers to and repeats the matters listed in Article
83(1) and (2) as set out above. The details are set out above and the
conclusion at step 2, taking into account: (a) the matters set out above
at paragraphs 65 to 83, (b) the matters referred to in this section and (c)
the need to apply an effective proportionate and dissuasive fine the
Commissioner considers that a penalty of £300,000 would be appropriate
before adjustment in accordance with Steps 3-5 below. This amount is
considered appropriate to reflect the seriousness of the breach and takes
into account in particular the need for the penalty to be effective,
proportionate and dissuasive.
91. Step 3: Adding in an element to reflect and aggravating factors (Article
83(2)(k)). The Commissioner considered that there were no additional
factors relevant to the setting of the penalty were addressed during Step
2.
2692. Step 4: Adding an amount for deterrent effect to others. The
Commissioner considered that the factors relevant to the setting of the
penalty were addressed during Step 2.
93. Step 5: Reducing the amount to reflect any mitigating factors including
ability to pay. The Commissioner does not believe that there are any
mitigating factors relevant to step 5 even though new procedures have
been implemented and better training and written policies have been
applied. The Commissioner expects any organisation to have these in
place as a matter of course. However, taking into account the
Commissioner's current policy and its action on previous cases, the
Commissioner reduced the value of the fine to £7,500.
The amount of the penalty
94. For the reasons explained above, the Commissioner is satisfied that the
conditions from the factors set out in Article 83(2) of the UK GDPR have
been met in this case and that he has adopted fair procedure. The latter
has included issuing a Notice of Intent, in which the Commissioner set out
his preliminary thinking. The Central YMCA had the opportunity to make
written representations in response to the Notice of Intent but instead
has decided to accept the Notice of Intent and the Commissioner's
findings.
95. In making his decision, the Commissioner has also had regard to the
factors set out in s108(2)(b) of the Deregulation Act 2015; including: the
nature and level of risks associated with non-compliance, including the
risks to economic growth; the steps taken by the business to achieve
compliance and reasons for its failure; the willingness and ability of the
business to address non-compliance; the likely impact of the proposed
27 intervention on the business, and the likely impact of the proposed
intervention on the wider business community, both in terms of deterring
non-compliance and economic benefits to legitimate businesses.
96. Taking into account all of the factors set out above, the Commissioner
has decided to impose a penalty on the Central YMCA of £7,500 (seven
thousand and five hundred pounds).
Conclusion
97. The monetary penalty must be paid to the Commissioner's office by BACS
transfer or cheque by 3 April 2024 at the latest. The monetary penalty
is not kept by the Commissioner but will be paid into the Consolidated
Fund which is the Government's general bank account at the Bank of
England.
98. There is a right of appeal to the First-tier Tribunal (Information Rights)
against:
a) The imposition of the penalty; and/or,
b) The amount of the penalty specified in the penalty notice
99. Any notice of appeal should be received by the Tribunal within 28 days of
the date of this penalty notice.
100. The Commissioner will not take action to enforce a penalty unless:
the period specified within the notice within which a penalty must be
paid has expired and all or any of the penalty has not been paid;
28 all relevant appeals against the penalty notice and any variation of it
have either been decided or withdrawn; and
the period for appealing against the penalty and any variation of it has
expired
101. In England, Wales and Northern Ireland, the penalty is recoverable by
Order of the County Court or the High Court. In Scotland, the penalty can
be enforced in the same manner as an extract registered decree arbitral
bearing a warrant for execution issued by the sheriff court of any
sheriffdom in Scotland.
102. Your attention is drawn to Annex 1 to this Notice, which sets out details
of your rights of appeal under s.162 DPA 2018.
Dated the 6th day of March 2024
Anthony Luhman
Temporary Director of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
29 ANNEX 1
Rights of appeal against decisions of the Commissioner
1. Section 162 of the Data Protection Act 2018 gives any person upon
whom a penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (Information Rights) (the
Tribunal') against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is
not in accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that she ought to have
exercised her discretion differently
the Tribunal will allow the appeal or substitute such other decision
as could have been made by the Commissioner. In any other case
the Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
GRC & GRP Tribunals
PO Box 9300
Arnhem House
31 Waterloo Way
Leicester
LE1 8DJ
30 Telephone: 0203 936 8963
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received
by the Tribunal within 28 days of the date of the
notice.
b) If your notice of appeal is late the Tribunal will not
admit it unless the Tribunal has extended the time for
complying with this rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your representative (if
any);
b) an address where documents may be sent or delivered to you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the penalty
notice or variation notice;
h) if you have exceeded the time limit mentioned above the notice of
appeal must include a request for an extension of time and the
reason why the notice of appeal was not provided in time.
5. Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may
conduct his case himself or may be represented by any person whom he
may appoint for that purpose.
316. The statutory provisions concerning appeals to the First-tier Tribunal
(General Regulatory Chamber) are contained in sections 162 and 163 of,
and Schedule 16 to, the Data Protection Act 2018, and Tribunal
Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
32
