Charity fined £10,000 for potentially revealing the HIV status of dozens of people in email blunder

HIV Scotland has been fined £10,000 by the Information Commissioner’s Office after sending an email that could have revealed the HIV status of dozens of people. 

The ICO said it had issued the fine after the charity sent an email in February last year with all recipients' addresses visible to 105 people, including patient advocates representing people living in Scotland with HIV. 

The regulator said 65 of the addresses identified people by name and “from the personal data disclosed, an assumption could be made about individuals’ HIV status or risk”. 

The charity apologised unreservedly for the breach and said the £10,000 fine was a “heavy blow” to a small charity. 

The ICO’s investigation found shortcomings in the charity’s email procedures, including inadequate staff training, incorrect methods of sending bulk emails and an insufficiently robust data protection policy.

The regulator also said that despite the charity’s recognition of the risks in its email distribution and the procurement of a system which enabled bulk messages to be sent more securely, it was still using an insufficiently secure method seven months later.

Ken Macdonald, head of regions at the ICO, called for all organisations to revisit their bulk email policies to ensure they had robust procedures in place. 

“All personal data is important, but the very nature of HIV Scotland’s work should have compelled it to take particular care,” he said. 

“This avoidable error caused distress to the very people the charity seeks to help.”

Alastair Hudson, who was appointed interim chief executive of HIV Scotland in January, said: “HIV Scotland takes full responsibility and unreservedly apologises to those who may have been impacted by the data breach and we continue to offer our full support in any way we can. 

“Since installing our new team and board of trustees, we have taken robust steps to improve information security and we are confident that such an incident could not be repeated. 

“For a small charity, financially, I cannot deny that this is a heavy blow. However, we will find a way to pay the £10k fine to the ICO.”

The charity, which had an income of slightly more than £300,000 in 2020, has until 16 November to pay the fine. 

An independent review of governance at the charity was completed earlier this year after concerns were raised with the Office of the Scottish Charity Regulator about spending on consultants and advances made to the charity’s then-chief executive.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in
RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners