ICO (UK) - HIV Scotland
|ICO (UK) - HIV Scotland|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32(1) GDPR
Article 32(2) GDPR
|National Case Number/Name:||HIV Scotland|
|European Case Law Identifier:||n/a|
|Original Source:||Information Commissioner's Office (in EN)|
The UK DPA (ICO) imposed a fine of around €12000 on HIV Scotland for failing to implement appropriate organisational and technical measures. The charity disclosed special category data by sending a group email in CC rather than BCC.
HIV Scotland is a charity that helps people living with HIV, those at risk of HIV and individuals that support people with HIV. HIV Scotland got a MailChimp account for the purpose of online mailing and migrated contact details to the bulk mailing platform. A list of contact details of the Community Advisory Network (CAN) was not migrated.
On 3 Feburary 2020, an email was sent using Microsoft Outlook to 105 members of CAN in CC rather than BCC. This meant that email addresses of 65 recipients were apparent, identifying the individual by name.
HIV Scotland noticed the error instantly and submitted a breach report, highlighting that individuals' HIV statuses could be deduced from this breach. HIV Scotland contacted the individuals to apologise and offered support if distress was caused.
HIV Scotland has since implemented MailChimp for all its mailing operations to reduce the risk of a repeat incident.
The Information Commissioner's Office (ICO) conclude that HIV Scotland failed to set up an appropriate organisational and technical measures. The following steps taken by HIV Scotland prior to the breach were insufficient according to the ICO:
- Training on GDPR awareness in the first three months of employment
- Awareness of the BCC requirement for group emails
- Attempt to migrate contact details to MailChimp for better security.
The ICO found following deficiencies in the technical and organisational measures at HIV Scotland.
- The staff did not have guidance on how to handle personal data securely. According to the ICO, employees should have had GDPR training prior to handling personal data and within one month of their start data. This is especially required when staff handle special category data.
- It was revealed during the investigation that the charity was aware of the poor data storage for 10 months prior to the breach. The move to MailChimp was an attempt to rectify this, however this was not adequately implemented between July 2019 and the day of the breach, 3 February 2020. According to the ICO, a correct and full implementation MailChimp would have prevented the disclosure of personal data.
The ICO clarified that although only email addresses were apparent, the special category data of 65 identified individuals could be inferred to a reasonable degree (HIV status).
The ICO deemed that HIV Scotland was fully aware of the risk of its practices, having criticised another controller for having suffered a similar error 6 months before HIV Scotland's own personal data breach.
The ICO concluded that HIV Scotland infringed Article 5(1)(f) of the GDPR by sending bulk emails rather than separate emails to each intended recipient. Additionally, it found that in addition to failing to fully migrate to MailChimp, HIV Scotland failed to use BCC in Microsoft Outlook.
The ICO also concluded that HIV Scotland infringed Articles 32(1) and (2) of the GDPR by failing to have a level of security appropriate to the risk of processing. The ICO particularly highlighted the awareness within HIV Scotland that their practices prior to the breach were deficient.
When assessing the level of the fine, the ICO considered certain factors, such as:
- the fact that the breach of personal data would at least cause an element of distress for the individuals;
- the fact that the breach was negligent due to HIV Scotland's awareness that Outlook was not secure for sensitive communications and that HIV Scotland had criticised another controller for a similar error;
- the fact that HIV Scotland should have been aware of previous fines by the ICO regarding similar breaches and in any case were aware of the deficiencies of their own technical and organisational measures;
- the fact that special category data (HIV status) could be reasonably inferred as a result of the breach;
- the fact that HIV Scotland took steps to mitigate the damage suffered by individuals;
- the fact that HIV Scotland didn't have prior data protection infringements;
- the fact that HIV Scotland cooperated with the ICO; and
- the fact that HIV Scotland reported the breach to the ICO within 2 hours of the incident.
The ICO then went to impose a fine of approximately €12000 on HIV Scotland.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.