It pays to think twice before you send an email, especially when it comes to sending bulk emails. The charity HIV Scotland was recently fined £10,000 by the Information Commissioner’s Office (ICO) in the wake of a 2020 data breach. The fine came after the charity sent out an email containing personal information to over 100 people.
The email was without using the blind carbon copy (bcc) function, which is an all-too common error when it comes to data protection. This, however, meant that all the email addresses and some names were visible to all recipients. HIV Scotland helps people living with HIV, or who are at risk of the disease. Given the nature of its work, the those who received the email could assume the HIV status or risk of those who had their details disclosed.
Following the breach, the ICO – the UK’s data protection regulator – investigated the incident and found a series of shortcomings in the charity’s email procedures. These included:
- Inadequate staff training
- Incorrect methods of sending bulk emails by bcc
- Inadequate data protection policy.
Interestingly, HIV Scotland was aware of the data protection risks its emailing practices posed, but it chose not to adequately address them. The ICO’s investigation even discovered that the charity had in fact procured a more secure system for bulk messages several months earlier after identifying the risk. However, it nonetheless continued to use the unsecure method. The regulator therefore found that there was a “serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring”.
Ironically, HIV Scotland had shown it was aware of data protection risks when it commented critically on a similar issue involving a Health Board. As such, the ICO took the view that the charity should have implemented adequate processes to prevent such an incident.
HIV Scotland’s interim chief executive Alastair Hudson apologised unreservedly to those affected by the data breach and stated that the charity took full responsibility for it. Following the fine, the ICO is urging all organisations to revisit their bulk email practices. Ken Macdonald, Head of ICO Regions, said:
“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help. I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
Organisations particularly at risk of committing data breaches include smaller organisations, such as local clubs and charities. These often have limited training or resources, and are operated by voluntary staff, who send out group emails or texts. Yet even adding a person’s number to a WhatsApp group without their consent risks exposing their name and number to others.
Many volunteers will be unaware of the importance of using the bcc function with care. Training and proper processes are essential, as there is no exemption from data protection laws for smaller voluntary organisations, clubs or charities.
Charities hold a lot of sensitive data. Often this relates to the vulnerable people they support and protect. This information must not fall into the wrong hands or be misused in any way. However, all too often, charities either aren’t aware of their obligations, or they simply haven’t taken the necessary steps to meet them.
HIV Scotland is not the first organisation to be fined for failing to use the BCC function correctly. In 2018, the ICO fined the Independent Inquiry into Child Sexual Abuse £200,000 after a staff member sent an email on 27 February 2017 directly to 90 inquiry participants, thereby revealing emails and names. Of the 90 addresses emailed, fifty-two email addresses contained people’s full names, or had a name label attached which identified the person.
Similarly to the HIV Scotland case, the ICO investigation into this matter found that the inquiry had a particular email account which could send an separate email to each individual participant, but it failed to use it. The ICO also found that the inquiry’s staff had not been given adequate guidance or training in terms of checking that email addresses were in the bcc field. Perhaps the wisest course of action is to always use technical solutions for group emails that make it impossible to accidentally share the groups email addresses and names of an entire group.
Forgetting to send a group email via bcc is an easy mistake to make, which is precisely why organisations should adopt procedures, training and technical solutions to prevent this from happening.
Those affected by data breaches committed by charities are often their supporters, or those whom they are helping. Such people may feel reluctant to take action against charities. Yet holding charities to account for data protection failures is often the only way to improve standards and ensure the continuation of their good work, and to protect the privacy of others.