What can charities learn from the HIV Scotland data breach?
In recent years, we have seen an increase in fines issued to organisations breaching their obligations under data protection law. Perhaps unsurprisingly, some of the most notable fines relate to personal data breaches – and unfortunately the charity sector has not survived unscathed.
Most recently, HIV Scotland (a charity that provides support for individuals living with or at risk of HIV, and supporters of those individuals) has been issued with a £10,000 fine after failings in its data security practices led to a personal data breach affecting a number of its members. The reason? Sending out bulk emails – something many of us have done but may not have really considered the risks.
The HIV Scotland data breach
In February 2020, HIV Scotland sent an email using Microsoft Outlook to 105 individual members of its Community Advisory Network. Instead of sending the email using the Blind Carbon Copy (“BCC”) function as intended, the Carbon Copy (“CC”) function was used, revealing the email addresses of all the intended recipients (65 of which clearly identified individuals by their name).
Although the email itself was not sensitive in nature (covering details of an upcoming event), due to the nature of the charity it was possible for assumptions to be drawn about the email recipients’ HIV status or risk.
The ICO investigation into the breach identified shortcomings in the charity’s email procedures, including inadequate staff training, practices of using the BCC function to send out bulk emails (an insecure method), and an inadequate data protection policy. The ICO also found that despite HIV Scotland’s recognition of the risks in its email practices and the procurement of a system allowing secure bulk emails, it was still using the less secure BCC method seven months later.
These factors culminated in a conclusion that HIV Scotland’s policies and procedures were not sufficient at the time of the incident, leading to a substantial fine.
Adopting the ICO’s recommendations
In the wake of the HIV Scotland data breach, the ICO has issued a warning urging organisations to review their bulk email practices.
So, what can charities do to ensure that their email practices are not falling foul of data protection law? Looking at the tripwires highlighted in the HIV Scotland case is certainly a good start. We look at the key takeaways from this case in turn:
The ICO investigation into HIV Scotland found that staff were required to complete data protection training annually but, in practice, training was not completed in a timely manner or indeed before staff were given access to personal data.
Whenever your charity takes on a new member of staff, make sure that they undertake data protection training appropriate to their role before they are given access to any personal data, and the importance of ensuring that all staff with access to personal data are given timely refresher training (and remember to chase up any stragglers!)
The BCC function is a useful way of sending bulk emails without disclosing the email addresses of recipients. However, it is not without risk. In fact, this is not the first fine issued to an organisation that has incorrectly used this function. For example, in 2017, a fine of £200,000 was issued to the Independent Inquiry into Child Sexual Abuse after sending a bulk email that identified possible victims of non-recent child sexual abuse (in this case, the “To” field was used instead of “BCC”).
This does not mean that all use of the BCC field is not allowed, but rather that charities should consider more secure options and platforms to mitigate risks.
In the HIV Scotland case, the ICO found that HIV Scotland did not have a specific data protection policy dealing with the secure handling of personal data. Instead, staff were referred to a privacy policy (a public-facing statement providing individuals with privacy information about how the charity processes their personal data). There is an important distinction between an internal staff data protection policy and an outward facing privacy policy (sometimes called a privacy notice).
The privacy policy (or privacy notice) is a means by which organisations may provide individuals with specified privacy information as required by Articles 13 and 14 UK GDPR. In contrast, a data protection policy is an internal policy document aiming to provide staff with guidance on their obligations under data protection law. Charities should review their current arrangements to ensure that they have sufficient documentation in place to cover off these important and very separate functions.
So before continuing with your charity’s bulk email practices, take a moment to consider the lessons learned from the HIV Scotland data breach to make sure you are not caught out.
If your charity would like further advice about its bulk email practices or general compliance with data protection law, please contact a member of our Information Law Team.