ICO (UK) - HIV Scotland

From GDPRhub
ICO (UK) - HIV Scotland
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 18.10.2021
Published: 22.10.2021
Fine: 10000 GBP
Parties: HIV Scotland
National Case Number/Name: HIV Scotland
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: MH

The UK DPA (ICO) imposed a fine of around €12000 on HIV Scotland for failing to implement appropriate organisational and technical measures. The charity disclosed special category data by sending a group email in CC rather than BCC.

English Summary[edit | edit source]

Facts[edit | edit source]

HIV Scotland is a charity that helps people living with HIV, those at risk of HIV and individuals that support people with HIV. HIV Scotland got a MailChimp account for the purpose of online mailing and migrated contact details to the bulk mailing platform. A list of contact details of the Community Advisory Network (CAN) was not migrated.

On 3 Feburary 2020, an email was sent using Microsoft Outlook to 105 members of CAN in CC rather than BCC. This meant that email addresses of 65 recipients were apparent, identifying the individual by name.

HIV Scotland noticed the error instantly and submitted a breach report, highlighting that individuals' HIV statuses could be deduced from this breach. HIV Scotland contacted the individuals to apologise and offered support if distress was caused.

HIV Scotland has since implemented MailChimp for all its mailing operations to reduce the risk of a repeat incident.

Holding[edit | edit source]

The Information Commissioner's Office (ICO) conclude that HIV Scotland failed to set up appropriate organisational and technical measures. The following steps taken by HIV Scotland prior to the breach were insufficient according to the ICO:

  • Employees asked to read and refer to HIV Scotland's privacy policy
  • Training on GDPR awareness in the first three months of employment
  • Awareness of the BCC requirement for group emails
  • Attempt to migrate contact details to MailChimp for better security.

The ICO found following deficiencies in the technical and organisational measures at HIV Scotland.

  • HIV Scotland did not have a specific internal Policy for handling personal data securely. Reliance on the external Privacy Policy was not an appropriate data protection policy for staff handling personal data.
  • The staff did not have guidance on how to handle personal data securely. According to the ICO, employees should have had GDPR training prior to handling personal data and within one month of their start data. This is especially required when staff handle special category data.
  • It was revealed during the investigation that the charity was aware of the poor data storage for 10 months prior to the breach. The move to MailChimp was an attempt to rectify this, however this was not adequately implemented between July 2019 and the day of the breach, 3 February 2020. According to the ICO, a correct and full implementation MailChimp would have prevented the disclosure of personal data.

The ICO clarified that although only email addresses were apparent, the special category data of 65 identified individuals could be inferred to a reasonable degree (HIV status).

The ICO deemed that HIV Scotland was fully aware of the risk of its practices, having criticised another controller for having suffered a similar error 6 months before HIV Scotland's own personal data breach.

The ICO concluded that HIV Scotland infringed Article 5(1)(f) of the GDPR by sending bulk emails rather than separate emails to each intended recipient. Additionally, it found that in addition to failing to fully migrate to MailChimp, HIV Scotland failed to use BCC in Microsoft Outlook.

The ICO also concluded that HIV Scotland infringed Articles 32(1) and (2) of the GDPR by failing to have a level of security appropriate to the risk of processing. The ICO particularly highlighted the awareness within HIV Scotland that their practices prior to the breach were deficient.

When assessing the level of the fine, the ICO considered certain factors, such as:

  • the fact that the breach of personal data would at least cause an element of distress for the individuals;
  • the fact that the breach was negligent due to HIV Scotland's awareness that Outlook was not secure for sensitive communications and that HIV Scotland had criticised another controller for a similar error;
  • the fact that HIV Scotland should have been aware of previous fines by the ICO regarding similar breaches and in any case were aware of the deficiencies of their own technical and organisational measures;
  • the fact that special category data (HIV status) could be reasonably inferred as a result of the breach;
  • the fact that HIV Scotland took steps to mitigate the damage suffered by individuals;
  • the fact that HIV Scotland didn't have prior data protection infringements;
  • the fact that HIV Scotland cooperated with the ICO; and
  • the fact that HIV Scotland reported the breach to the ICO within 2 hours of the incident.

The ICO then went to impose a fine of approximately €12000 on HIV Scotland.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                          •

                                                         ICO.
                                                         Information Commissioner's Office


        DATA PROTECTION ACT 2018     (PART 6, SECTION 155)


   SUPERVISORY    POWERS OF THE INFORMATION COMMISSIONER


                    MONETARY PENALTY NOTICE


TO:  HIV Scotland


OF:  18 York Place, HIV Scotland, Edinburgh EHl 3EP



   1. HIV Scotland is charity registered in Scotland (number SC033951) and
     a company limited by guarantee (number SC242242).


   2. The InformatioCommissioner ("the Commissioner"has decided to

     issue HIV Scotland with a Penalty Notice under section 155 of the Data
     Protection Act 2018 ("the DPA"). This penalty notice imposes an

     administrativfine on HIV Scotland, in accordance with the
     Commissioner's powers under Article 83 of the General Data Protection

     Regulation 2016 ("the GDPR"). The amount of the monetary penalty is

     £10,000.


   3. This penalty has been issued because of contravenby HIV
     Scotland of Articles 5(land 32(1) and (2) of the GDPR in that,

     during the period of 25 May 2018 to 24 February 2020, HIV Scotland
     failed to implement an appropriate level of organisand technical

     security to its internal email systems. This failure resulted in an email

     being sent on 3 February 2020 without the appropriate security to 105
     recipients, disclosing the personal data of 65 of the recipients. In

     particular, the email contained personal data and disclosed information
     from which special category data could be reasonably inferred.

                                  1                                                              •

                                                              ICO.
                                                              Information Commissioner's Office


   4. In the interests of clarity, 25 May 2018 is the date when GDPR came
      into effect, and 25 February 2020 is the date on which HIV Scotland

      took its final steps to implement MailChimp as its sole email client for
      any mail-out across the organisation, thereby mitigating the risk which

      led to the initial data breach.


   5. This Monetary Penalty Notice explains the Commissioner's decision,

      includingthe Commissioner's reasons for issuing the penalty and for
      the amount of the penalty.


Legal framework   for this Notice of Intent



Obligations  of the controller


   6. HIV Scotland is a controller for the purposes of the GDPR and the DPA,

      because it determines the purposes and means of processing of personal
      data (GDPR Article 4(7)).



   7. 'Personal data' is defined by Article 4(1) of the GDPR to mean:

                 information relating to an identified or identifiable natural
                 person ('data subject'); an identifiable natural person is
                 one who can be identified,irectly or indirectly, in
                 particular by reference to an identifier such as a name, an
                 identificationumber, location data, an online identifier or
                 to one or more factors specific to the physical,

                 physiological, genetic,ntal, economic, cultural or social
                 identity of that natural person.

8.   'Processing' is defined by Article 4(2) of the GDPR to mean:


                 any operation or set of operations which is performed on
                 personal dataor on sets of personal data, whether or not
                 by automated means, such as collection, recording,

                                    2                                                                •

                                                                ICO.
                                                                Information Commissioner's Office

                 organisation, structuring,storage, adaptation or alteration,
                 retrieval, consultation, use, disclosure by transmission,
                 dissemination  or otherwise making available, alignment or
                 combination, restriction, erasure or destruction


9.    Article 9DPR prohibits the processing of 'special categories of personal

      data' unless certain  conditions are met.  The special categories   of
      personal data subject to Article 9 include 'data concerning health or data

      concerning a natural person's sex life or sexual orientation'.


10.   Controllers are subjecto various obligations in relation to the processing

      of personal data, as set out in the GDPR and the DPA. They are obliged
      by Article 5(2) to adhere to the data processing principles set out in

      Article 5(1) of the GDPR.


11.   In particular, controllers are required to implement appropriate technical

      and organisational measures to ensure that their processing of personal
      data is secure, and to enable them to demonstrate that their processing

      is secure. Article 5(1)(f("Integrity and Confidentiality")   stipulates

      that:

                 Personal data shall be [...] processed in a manner that
                 ensures appropriate security of the personal data, including
                 protection against unauthorised or unlawful processing and
                 against accidental loss, destruction or damage, using

                 appropriate technical or organisational measures


12.   Article 32 ("Security of processing") provides, in material part:


                 1. Taking into account the state of the art, the costs of
                 implementation  and the nature, scope, context and
                 purposes of processing as well as the risk of varying

                 likelihood and severity for the rights and freedoms of
                 natural persons, the controller and the processor shall
                 implement appropriate technical and organisational

                                     3                                                               •


                                                               ICO.
                                                               Information Commissioner's Office
                 measures to ensure a level of security appropriate to the
                 risk, including inter alia as appropriate:

                       (a) the pseudonymisation and encryption of personal
                       data;

                       (b) the ability to ensure the ongoing confidentiality,
                       integrity, availability and resilience of processing
                       systems and services;


                       (c) the ability to restore the availability and access to
                       personal data in a timely manner in the event of a
                       physical or technical incident;

                       (d) a process for regularly testing, assessing and
                       evaluating the effectiveness of technical and
                       organisational measures for ensuring the security of
                       the processing.

                 2. In assessing the appropriate level of security account

                 shall be taken in particular of the risks that are presented
                 by processing, in particular from accidental or unlawful
                 destruction, loss, alteration, unauthorised disclosure of, or
                 access to personal data transmitted,stored or otherwise
                 processed.


The Commissioner's    powers of enforcement


13.   The Commissioner   is the supervisory authorityfor the UK under the

      GDPR.


14.   By Article 57(1) of the GDPR, it is the Commissioner'task to monitor
      and enforce the application of the GDPR.


15.   By Article 58(2)(d)of the GDPR the Commissioner    has the power to

      notify controllers of alleged infringemenof GDPR. By Article 58(2)(i)
      she has the power to impose an administrative fine, in accordance with

      Article 83, in addition to or instead of the other correctimeasures

      referred to in Article 58(2)depending on the circumstances   of each
      individual case.

                                     4                                                                 •


                                                                ICO.
                                                                Information Commissioner's Office

16.   By Article  83(1),  the  Commissioner    is required  to  ensure   that
      administrative fines issued in accordance with Article 83 are effective,

      proportionate,and dissuasive in each individual case. Article 83(2) goes

      on to provide that:

                  When deciding whether to impose an administrative  fine

                 and deciding on the amount of the administrative  fine in
                 each individual case due regard shall be given to the
                 following:

                       (a) the nature, gravity and duration of the
                       infringement  taking into account the nature scope or
                       purpose of the processing concerned as well as the
                       number of data subjects affected and the level of
                       damage suffered by them;

                       (b) the intentional or negligent character of the

                       infringement;

                       (c) any action taken by the controller or processor to
                       mitigate the damage suffered by data subjects;

                       (d) the degree of responsibility of the controller or
                       processor taking into account technical and
                       organisational measures implemented by them
                       pursuant to Articles 25 and 32;

                       (e) any relevant previous infringements by the

                       controller or processor;

                       (f) the degree of cooperation with the supervisory
                       authority, in order to remedy the infringement and
                       mitigate the possible adverse effects of the
                       infringement;

                       (g) the categories of personal data affected by the
                       infringement;

                       (h) the manner in which the infringement  became

                       known to the supervisory authority, in particular
                       whether, and if so to what extent, the controller or
                       processor notified the infringement;


                                      5                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

                       (i)where measures referred to in Article 58(2) have
                       previously been ordered against the controller or
                       processor concerned with regard to the same
                       subject-matter, compliance with those measures;

                       (j)adherence to approved codes of conduct pursuant
                       to Article 40 or approved certification mechanisms
                       pursuant to Article 42; and

                       (k) any other aggravating or mitigating factor
                       applicable to the circumstances of the case, such as
                       financial benefits gained, or losses avoided, directly

                       or indirectly, from the infringement.


17.  The DPA contains enforcement provisions in Part 6 which are exercisable
      by the Commissioner.   Section 155 of the DPA ("Penalty    Notices")

      provides that:


                 (1) If the Commissioner is satisfied that a person­

                       (a) has failed or is failing as described in section
                       149(2) ...,

                       the Commissioner may, by written notice (a "penalty
                       notice"), require the person to pay to the
                       Commissioner an amount in sterling specified in the
                       notice.

                 (2) Subject to subsection (4), when deciding whether to
                 give a penalty notice to a person and determiningthe

                 amount of the penalty, the Commissioner must have
                 regard to the following, so far as relevant-

                       (a) to the extent that the notice concerns a matter to
                       which the GDPR applies, the matters listed in Article
                       83(1) and (2) of the GDPR.


18.  The failures identifiedin section 149(2)  DPA are, insofar as relevant

      here:




                                     6                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

                 (2) The first type of failure is where a controller or
                 processor has failed, or is failing, to comply with any of the
                 following-

                       (a) a provision of Chapter II of the GDPR or Chapter
                       2 of Part 3 or Chapter 2 of Part 4 of this Act
                       (principles of processing);

                       .,.

                       (c) a provision of Articles 25 to 39 of the GDPR or
                       section 64 or 65 of this Act (obligations of controllers
                       and processors) [...]


Factual background to the incident



   19.     HIV Scotland is a charity which provides support for individuals
      living with HIV, individuals who may be at risk of HIV, and individuals

      who support those groups.


   20.     HIV Scotland's Community Advisory Network ("CAN") brings
      together patient advocates from across Scotland to represent the full

      diversity of people living with HIV. Individuals sign up to be part of this

      network to help support and inform the work of HIV Scotland. Semi­
      regular email updates are sent to the group, usually surrounding one of

      their quarterly meetings.

   21.     Having identified its onlineailing/database programme as a key

      organisationalpriority in April 2019, in June 2019 HIV Scotland made a

      decision to procure a MailChimp account. The procurement took place
      in July 2019. Over the following months a number of lists held by HIV

      Scotland were migrated to MailChimp to provide the necessary
      functionalitfor bulk messages to be sent in a more secure manner.

      However, by the time of the incident, the CAN list was not one of those

      which had been migrated.

                                     7                                                             •

                                                            ICO.
                                                            Information Commissioner's Office


22.      On 3 February 2020,                         HIV Scotland sent
   an email using Microsoft Outlook, containing an agenda for an event

   taking place on 8 February 2020, to 105 individual members of HIV

   Scotland's CAN. The agenda provided details of the meeting's key
   discussion points, and details of the meeting's location. Instead of

   using the Blind Carbon Copy ("BCC") feature, the              used
   the Carbon Copy ("CC") feature, showing the email addresses of all

   intended recipients to all that received the email.


23.      65 of 105 email addresses visible to the other recipients as part
   of this communication clearly identified individuals by their name. The

   breach was identified immediately,

                                      Ithas not been possible for HIV
   Scotland to determine how successful the recall was.


24.      Itis noted that two recipients responded to HIV Scotland to
   highlight the incident.


25.      HIV Scotland contacted the ICO Helpline about the incident and

   completed and submitted a breach report on the same day as the
   incident. The incident was attributed to human error, with HIV Scotland

   accepting that, in terms of the personal data disclosed, "[a]ssumption

   could be made about individuals HIV status or risk".

26.      Upon becoming aware of the error, HIV Scotland's chief

   executive emailed all recipients to apologise. HIV Scotland also issued
   a statement on its website, contacted the individuals involved to

   apologise, and to ask that the email is deleteItalso offered personal

   support in the event of any distress caused. HIV Scotland has advised
   that 12 individuals contacted it to thank it for the apology.




                                  8                                                              •

                                                              ICO.
                                                              Information Commissioner's Office






   28.     It is understood that MailChimp is now fully implemented and

      operational so the risk of a repeat incident is significantly reduced and
      very unlikely. In February 2020 HIV Scotland confirmed to the

      Commissioner that it has "now completed the migration to Mai/Chimp
      to ensure that the error of failing to BCC a group email can no longer







   29.     As a result of the breach, HIV Scotland decided to fully audit all
      of its security and data management procedures and a full search of its

      SharePoint Server was completed to ensure no personal information
      was stored separately from its secure mailing lists.


   30.     The Commissioner has considered  whether these facts constitute
      a contraventionof the data protection legislation.


The Contraventions   of Article S(l)(f),32(1)  and (2) of the GDPR


   31.     For the reasons set out below, the Commissioner takes the view
      from her investigation that this breach occurred primarily as a result of

      serious deficiencies in HIV Scotland's technical and organisational
      measures.


   32.     It is accepted that HIV Scotland did have some policies and

      associated measures, whether in place or in progress, at the time of

      the breach, and the Commissioner has considered these below:



                                    9                                                          •

                                                          ICO.
                                                          Information Commissioner's Office
   a) HIV Scotland advised that all employees would be asked to read and

     refer to the HIV Scotland's Privacy Policy as well as highlight it to

     those who contact them when relevant.


   b) HIV Scotland confirmedthat all staff have access to an online
     training hub called 'BOLT Spark' and are required to complete 11

     training modules within the first three months of their employment,
     including GDPR (called "EU GDPR Awareness for All") which contains

     an assessed module on data protection and specifically GDPR.

   c)

                                                        was aware of

     the privacy policy and expectations to meet GDPR requirements,
     includingthe use of BCC for group emails.


   d) HIV Scotland wereat the time of the breach in the process of
     migrating its databases/lists to MailChimp in order to introduce the

     ability to securely email group contacts on all mailing lists held by
     them.



33.     Whilst it is accepted that HIV Scotland had taken some steps as
   detailed above, the Commissioner finds that they were not sufficient.

   The Commissioner's findings are detailed below:


   a) HIV Scotland did not have a specific Policy on the secure handling of
     personal data within the organisation. Rather, the Policy staff relied

     on related to HIV Scotland's own Privacy Policy, and was the public
     facing statement covering points such as Cookie use, and data

     subject access rights; it was not an appropriate Data Protection

     Policy which focused on staff handling of personal data. The Privacy
     Policy referenced by HIV Scotland provided no guidanceo staff on

     the handling of personal data itself, for example, what they must do
                                10                                                      •

                                                     ICO.
                                                     Information Commissioner's Office
   to ensure that it is kept secure. This is something which the

   Commissioner would expect from an organisation handling personal

   data, and would expect it to maintain policies regarding, amongst
   other things, confidentiality.


b) The                               used by HIV Scotland includes
   an entry for day one as "Explanatof data processing, GDP&

   email use inc. BBC for group emails" (sic) which appears to suggest
   that the use of BCC for group emails was deemed an acceptable

   method of group-email contact.


c) HIV Scotland stated in its initial breach notification,









   HIV Scotland confirmed that employees are expected to complete
   the "EU GDPR Awareness for All" on an annual basis. The

   Commissioner considers it a weakness and a risk that the data

   protection course is expected to be completed
                        when it should have been much sooner and

   certainly before an employee handled personal data. Whilst there is
   no fixed requirement within the DPA or the GDPR as to the type of

   data protection training an employee should undertake, or when it
   should be provided, as part of a controller's organisational measures

   to safeguard personal data the Commissioner would expect an

   organisation to train employees handling personal data, and in
   particular data which is special category in nature or by inference

   beforean individual is given access to such data. The
   Commissioner's current guidance on this (as contained in the

                             11                                                                 •


                                                                 ICO.
                                                                 Information Commissioner's Office
         'AccountabilityFramework' package  1) recommends that staff receive

         inductiontraining prior to accessing personal data and within one
         month of their start date.


      d) Regarding the implementation  of Mailchimp, the Commissioner

         notes that when asked for its reasons for procuring Mailchimp, HIV

         Scotland advised that "when I [the HIV Scotland representative]
         took over as Chief Executive, the system for storing data was poor

         in the organisation. It involved a variety of different excel

         spreadsheets  that individual staff controlled. This meant that if
         someone asked to be removed from a mailing list; the process was

         difficult and hard to confirm every entry had been deleted. When we

         hired our Communications  Lead, we highlighted an online
         mailing/database programme as a key priority in April 2019." (sic).


         HIV Scotland stated further during the Commissioner's investigation

         that "[d]ue to the impending event, we had not yet moved the

         Advisory Network mailing list over to Mai/Chimp to ensure everyone
         was still receiving the emails." The "impending event" referred to is

         the CAN event of 8 February 2020, to which the email agenda that

         was sent on 3 February 2020 without the use of BCC pertains. HIV
         Scotland further confirmed that they had procured MailChimp and

         other groups had been transferred onto it, but they held off doing

         that for this particular CAN group because of the immediacy of the
         event that formed the content of the email of 3 February 2020.

         They were concerned that if they had used MailChimp for

         communication   in relation to the impending event, that the emails

         may have caused disruption by ending up in the junk folder or
         appearing to have been sent by someone else. It is clear from HIV

         Scotland's reasons for procuring Mailchimp that it had identified the


1https ://ico .org.uk/for-orga nisations/ accounta biIity-fra mework/trai ning-and-awa reness/i nduction-a nd-refresher-tra ining/

                                     12                                                           •

                                                          ICO.
                                                          Information Commissioner's Office

      need for improvements to online mailings as early as ten months
      prior to the breach.


     The Commissioner understands   that Mailchimp was in fact procured

      in July 2019but was not adequately implemented by the time of the
      breach on 3 February 2020.


      Mailchimp providedthe necessary functionalitfor bulk messages to

      be sent in a more secure manner. The Commissioner is of the view
     that if it had been appropriateimplemented when communicating

      with users and supporters of HIV Scotland's services via email, it
      would have prevented the disclosure of those users' email

      addresses. In short, it would have prevented both the occurrence

      and consequence of the breach.


     The Commissioner's investigation into this matter has determined
     that despite a clear recognition of the risks of the use of BCC,

      insufficient stewere taken quickly enough to prevent the

      disclosure of service users' emails. This is despite a solution having
      already being procured and in use in regard to other areas of HIV

      Scotland's estate. This represents a serious and negligent failure
     take appropriate organisational and technical steps to reduce the

      possibility of an incident occurring. If the use of Mailchimp had been
      adequately risk assessed, scoped and prioritised, the Commissioner

     takes the view that it is highly likely that this incident would not

      have happened.


34.     The Commissioner considers  that the data concerned in this case
   comprises of email addresses. An email address which clearly relates to

   an identified or identifiable living individual is considered to be personal

   data.

                                 13                                                                   •


                                                                  ICO.
                                                                   Information Commissioner's Office


   35.      However, regarding the content of any email, this will not

      automatically be personal data unless it includes information which
      reveals something about that individual or has an impact on them.



   36.      In this case, it is considered that the content of the email,
      specifically the agenda, combined with the identity of the organisation

      sending the email, does reveal information about the recipients.

      Namely, the receipts are identified as HIV Scotland CAN members, to

      the extent that they have been invited to a CAN event hosted by the
      organisation. Consequently, and to the extent to which 65 individuals

      can be identified from the email distributionlist, special category data

      can be inferred to a reasonable degree in so far as the disclosure of the
      email addresses connects those individuals with an organisation that

      provides HIV support services.



   37.      The Commissioner takes    the view that even if the email
      addresses and  content of the email itself can be deemed not to

      constitute special category data, it is clear that there are particular

      sensitivities around the nature of the personal data being processed in
      this situation that HIV Scotland should have considered in line with the

      Commissioner's guidance on Special Category Data    2•



   38.      The Commissioner considers further that HIV Scotland has
      previously demonstrated an increased awareness of the risks of such

      conduct, given  that on 17 June 2019 it had commented critically on its

      website in relationto a similar issue involving a Health Board.





2https ://ico. org. uk/for-ouide-to-data-proteuide-to-the-general-data-protection­
regulation-g dpr/ specia 1-category-d ata/what-i s#scd7i a1-category-d ata/

                                       14                                                            •

                                                           ICO.
                                                           Information Commissioner's Office

39.     The Commissioner takes the view that by the time the HIV
   Scotland breach occurred almost eight months later, and having

   commented on the error experienced by another controller, HIV
   Scotland were certainly aware of such a risk and should have ensured

   they had adequate measures in place to prevent such an incident
   within its own organisation.



40.      HIV Scotland has confirmed that it received one formal complaint
   regarding the incident but did not believe the points raised in the

   complaint required any further action. HIV Scotland responded to the
   complainant with its view at the time, although the Commissioner

   considers that the complaint clearly identifies distress being

   experienced by the complainant as a result of the breach.

41.     Specifically,ith regard to the principle of integrity and

   confidentialitunder Article (S)(l)(of the GDPR, the Commissioner
   considersthat HIV Scotland failed to send a separate email to each

   intended recipient, and instead utilised bulk email facility.


42.     The Commissioner   further finds that, notwithstandiits failure
   to migrate the CAN list to the more secure MailChimp platform despite

   it being available, HIV Scotland failed to use the BCC function of
   Microsoft Outlook.







   had completed the 'Explanation of data processing, GDPR& email use
   inc BBC for group emails' (sic) awareness training






                                 15                                                              •


                                                              ICO.
                                                              Information Commissioner's Office
   44.     In regard to the requirementunder Articles 32(1) and (2) of the
      GDPR to implement a level of security appropriate to the risk when

      processing data,the Commissioner considers that HIV Scotland failed

     to implement a level of security appropriate to the risk in this instance.
      HIV Scotland had actively recognised the need for greater outbound

      mailing security aumber of months prior to the breach, and had in

      fact procured a MailChimp account which, if implementedwould have
      mitigated the risk of a breach. However, it failed to implement this

      level of security in relation to the CAN list which, had it done so, would
      have significantly reducedhe likelihood of the breach occurring.



   45.     The Commissioner finds that HIV Scotland should have taken
      particular account of the risks associated with processing the personal

      data in this instance when assessing the appropriate level of security.

      Given the nature of the CAN list, together with the significant delay
      between procurement of MailChimp in July 2019 and its eventual

      implementation which took place shortly after the breach in February

      2020, it is clear that HIV Scotland failed to do this.

Notice of Intent


   46.     On 22 July 2021, in accordance with s.155(5) and paragraphs 2

      and 3 of Schedule 16 DPA, the Commissioner issued HIV Scotland with
      a Notice of Intent to impose a penalty under s.155 DPA. The Notice of

     Intent described the circumstances and the nature of the personal data

      breach in question, explainedhe Commissioner's reasons for a
      proposed penalty, and invited written representatiofrom HIV

      Scotland.


   47.     On 20 August 2021, HIV Scotland provided written
      representationsin respect of the Notice, together with supporting

      documentation in relation to its finances.

                                    16                                                               •


                                                               ICO.
                                                               Information Commissioner's Office

   48.     On 30 September 2021 the Commissioner held a 'representations
      meeting' to thoroughly consider the representationprovided by HIV

      Scotland. At that meeting it was determined that a monetary penalty

      remained appropriate in all of the circumstances.


Factors relevant to whether   a penalty is appropriate,  and if so, the

amount of the penalty

   49.     The Commissioner   has considered the factors set out in Article

      83(2) of the GDPRin deciding whether to issue a penalty. For the reasons

      given below, she is satisfiedhat (i) the contraventionare sufficiently
      serious to justify issuing a penalty in addition to exercising her corrective

      powers;  and (ii) the contraventions are serious enough to justify a

      significant fine.

(a)   the nature, gravity and duration of the infringement    taking into
account the nature, scope or purpose of the processing concerned as
well as the number of data subjects affected and the level of damage
suffered by them



   50.     On 3 February 2020                                   sent an

      email using Microsoft Outlookto 105 individual members of HIV
      Scotland'sCAN. The email contained an agenda for a forthcoming

      meeting. Instead of using the BCC feature,                 used the

      CC feature, showing the email addresses to all that received the email.
      This was aone-off incident.



   51.     65 individuals could potentially be identified as their names were
      included inthe email address. The other email addresses did not have

      identifiablenformation in the email address but could be used to

      identify individuals in combination with other information e.g. the email
      address could be used to search online to discover other details about

                                    17                                                            •

                                                            ICO.
                                                            Information Commissioner's Office

     the individual. Whilst the data comprises email addresses which in
     themselves are not considered special category data, it could be

      inferred that the individuals they belong to are HIV positive or
     supporting someone who is.


   52.     The Commissioner considers that it is at least possible that there
      may be an element of distress associated with this breach. There has

      been one formalcomplaint received by HIV Scotland, with the

     complainant stating that their HIV status had been disclosed to
     strangers and their choice to tell friends or family had been taken

     away.

(b)  the intentional or negligent character of the infringement


   53.     The Commissioner considers that there is no evidence of there

      being an intentional aspect to this infringehowever the
     Commissioner considers that the breach was negligent since the risks

     of using Outlook for sensitive communications were known by HIV
     Scotland either by reference to previous ICO enforcement action, or by

      HIV Scotland's knowledge of a very similar recent incident involving
     another controller. Furthermore, online mailing was a key priority area

     identified by HIV Scotland in April 2019, some tenths before the

     breach occurred. MailChimp was procured in July 2019 and yet the CAN
     group was still not migrated to MailChimp by 3 February 2020. There

     was also a degree of negligence in that HIV Scotland's policies and
     procedures, and also the                                      was

      not sufficient at the time of the incident.


(c)  any action taken by the controller or processor to mitigate the
damage suffered by data subjects





                                   18                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

   54.     All affected recipients were emailed by HIV Scotland, and a
      statement was put on its website very shortly after the incident

      occurring. HIV Scotland also asked all recipients to delete the email. In
      addition, the matter was addressed at the CAN meeting on 8 February

      2020 when HIV Scotland outlined the action it had taken and offered

      the chance for queries or concernsThe sole complaint has been dealt
      with.


(dl   the degree of responsibility of the controller or processor taking
into account technical and organisational   measures implemented     by
them pursuant to Articles 25 and 32


   55.     HIV Scotland should have been aware of previous, very similar
      incidents that the ICO has fined and publicised. They were certainly

      aware of a case involving a UK controller that occurred in June 2019
      and identifiedhe need for a different system. MailChimp was procured

      but 7 months had passed and the CAN group had not yet been

      migrated to MailChimp at the time of the incident. HIV Scotland should
      have adopted a risk-based approach and should have identifiedhe

      CAN list as one of the more urgent groups, noting the potential for the
      inference of special category data; it is for this reason that the

      Commissioner is of the view that it should have prioritised its

      migration. Whilst HIV Scotland's           materials suggested that
      'BCC' was sufficient as a means of engaging in group emails, it should

      have identifiedhat this was a risk and at the very least put other

      measures in place such as not sending group emails out and sending
      such emails individually until MailChimp was fully implemented.


(el   any relevant  previous infringements   by the controller or
processor



   56.     The Commissioner   is unaware of any previous data protection
      infringementsby HIV Scotland.

                                    19                                                              •


                                                              ICO.
                                                              Information Commissioner's Office


(f)   the degree of cooperation  with the supervisory   authority, in
order to remedy the infringement    and mitigate the possible adverse
effects of the infringement

   57.     HIV Scotland were fully cooperative with the Commissioner's

      investigation.


(g)   the categories of personal data affected by the infringement


   58.     Whilst the disclosed data comprises email addresses which in

      themselves are not considered special category data, the
      Commissioner is of the view that it can be reasonably inferred that the

      individuals whose email address were impacted included individuals

      who are HIV positive or at risk of contracting the virus.


(h)   the manner in which the infringement    became known to the
supervisory  authority, in particular whether,  and if so to what extent,
the controller or processor notified the infringement


   59.     HIV Scotland notified the Commissioner about the breach on 3
      February 2020. HIV Scotland contacted the Commissioner's Helpline

      about the incident and completed the necessary 'breach report' within

      2 hours of the incident occurring.

(i)   where measures referred to in Article 58(2)    have previously
been ordered against the controller or processor concerned with
regard to the same subject-matter,    compliance with those measures;



   60.     Not applicable.


(j)   adherence to approved codes of conduct pursuant to Article 40
or approved certification  mechanisms    pursuant to Article 42;

   61.     Not applicable.


                                    20                                                              •

                                                              ICO.
                                                              Information Commissioner's Office


(k)   any other aggravating   or mitigating factor applicable to the
circumstances   of the case, such as financial benefits gained, or
losses avoided, directly or indirectly,from the infringement.


   62.     The Commissioner has considered the following aggravating
      factor in this case:



        •  The Commissioner has previously taken action against
           organisations for similar breaches. As such, the Commissioner

           takes the view that the risks of these kind of disclosures and the
           consequences for the potential harm that might be caused to

           data subjects was a matter that had been reported on both in
           mainstream and trade (privacy professional) media.



   63.     The Commissioner has considered  the following mitigating
      factors in this case:


        •                          are asked to read and refer to HIV

           Scotland's privacy policy - whilst this does not provide sufficient
           guidance or information generally about what           are

           required to do, it demonstrates that data protection

           considerations are not entirely absent from HIV Scotland's
           induction process.


        •  MailChimp had been procured but at the time of the breach the

           CAN group had not been migrated. The plan was that the group
           would be told about this at the meeting on 8 February 2020 so

           that they would be aware and to avoid emails going to 'Spam' or

           it not being clear who they were from. Full migration to
           MailChimp is now completed. Whilst the failure to implement this

           solution quickly is a material fact to the seriousness of the

                                    21                                                           •

                                                          ICO.
                                                          Information Commissioner's Office

        infringements, its procurement demonstrates that consideration
        of the improvements that could be made, specifically the security

        of email communications, was not entirely absent.


     •  The organisation has a training portal for-with  mandatory
        GDPRtraining refreshed every year.


     •  HIV Scotland took steps to remedy the incident by asking all
        recipients to delete the email on the same day that it was sent,

        and also added a message  to its website.



Summary    and decided penalty

64.     For the reasons set out above, the Commissioner has decided to

   impose a financial penalty on HIV ScotlandThe Commissioner has

   taken into account the size of HIV Scotland, publicly available
   information regarding its finances, and the representatimade by

   HIV Scotland as to its financial position. She is mindful that the penalty
   must be effective, proportionatand dissuasive.



65.     Taking into account all of the factors set out above, the
   Commissioner has decided to impose a penalty on HIV Scotland of

   £10,000  (ten thousand  pounds).


Payment of the penalty


66.     The penalty must be paid to the Commissioner's office by BACS

   transfer or cheque by 16 November  2021 at the latest. The penalty is
   not kept by the Commissioner but will be paid into the Consolidated

   Fund which isthe Government's general bank account at the Bank of

   England.


                                 22                                                             •

                                                             ICO.
                                                             Information Commissioner's Office

67.      There is a right of appeal to the First-tier Tribunal (Information
   Rights) against:


         (a)  The imposition of the penalty; and/or,
         (b)  The amount of the penalty specified in the penalty notice


68.      Any notice of appeal should be received by the Tribunal within 28

   days of the date of this penalty notice.


69.      The Commissioner will not take action to enforce a penalty

   unless:


      •  the period specified within the notice within which a penalty must

         be paid has expired and all or any of the penalty has not been
         paid;

      •  allrelevant appeals against the penalty notice and any variation
         of it have either been decided or withdrawn;and

      •  the period for appealing against the penalty and any variation of

         it has expired.


70.      In England, Wales and Northern Ireland, the penalty is

   recoverable by Order of the County Court or the High Court. In
   Scotland, the penalty can be enforced in the same manner as an

   extract registered decree arbitral bearing a warrant for execution
   issued by the sheriff court of any sheriffdom in Scotland.



71.      Your attention is drawn to Annex 1 to this Notice, which sets out
   details of your rights of appeal under s.162 DPA.






                                  23                                                    •

                                                    ICO.
          th                                        Information Commissioner's Office
Dated the 18day of October 2021

Director of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF


































                              24                                                            •

                                                           ICO.
                                                           Information Commissioner's Office

ANNEX 1


                    DATA PROTECTION     ACT 2018
       Rights of appeal against decisions of the Commissioner


1.   Section 162 of the Data Protection Act 2018 gives any person upon

     whom a penalty notice or variation notice has been served a right of

     appeal to the First-tier Tribunal (InformaRights) (the 'Tribunal')
     against the notice.


2.   If you decide to appeal and if the Tribunal considers:-



     a)    that the notice against which the appeal is brought is not in
           accordance with the law; or


     b)    to the extent that the notice involved an exercise of discretion by

           the Commissioner, that she ought to have exercised her
           discretion differently,



     the Tribunal will allow the appeal or substitute such other decision as
     could have been made by the Commissioner. In any other case the

     Tribunal will dismiss the appeal.


3.   You may bring an appeal by serving a notice of appeal on the Tribunal

     at the following address:


                General Regulatory Chamber
                HM  Courts &Tribunals Service
                PO Box 9300
                Leicester
                LEl 8DJ

           Telephone: 0203 936 8963

                                  25                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

            Email:     grc@justice.gov.uk


      a)   The notice of appeal should be sent so it is received by the
           Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it

            unless the Tribunal has extended the time for complying with this

            rule.


4.    The noticeof appeal should state:-


      a)    your name and address/name and address of your representative
            (if any);



      b)    an address where documents may be sent or delivered to you;


      c)   the name and address of the Information  Commissioner;


      d)    detailsof the decision to which the proceedings relate;


      e)   the result that you are seeking;


      f)   the grounds on which you rely;


      g)   you  must provide with the notice of appeal a copy of the penalty

            notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the notice

            of appeal must include a request for an extension of time and the
            reason why the notice of appeal was not provided in time.



                                     26                                                        •

                                                       ICO.
                                                       Information Commissioner's Office
5.   Before deciding whether or not to appeal you may wish to consult your
     solicitor or another advAt the hearing of an appeal a party may
     conduct his case himself or may be represented by any person whom

     he may appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier Tribunal
     (General Regulatoryhamber) are contained in sections 162 and 163
     of, and Schedule 16 to, the Data Protection Act 2018, and Tribunal

     Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules
     2009 (StatutorInstrument2009 No. 1976 (L.20))































                                27