How risky are your bulk email communications?
HIV charity fined for exposing personal data via email
The Information Commissioner’s has fined HIV Scotland £10,000 for failing to protect personal data, in a case that could raise alarm bells in other organisations.
What went wrong?
The penalty came about after an email was sent by HIV Scotland to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the ‘CC’ field. In fact, 65 of the addresses identified people by name.
HIV Scotland notified the Commissioner about the breach on 3 February 2020, contacted the Commissioner’s Helpline about the incident, and completed the necessary notification within two hours of the incident occurring.
Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented that assumptions could be made about individuals’ HIV status or risk from the data disclosed.
An investigation by the ICO found a number of shortcomings in the charity’s email procedures, including:
- inadequate staff training
- an inadequate data protection policy
- incorrect methods of sending bulk emails by using the ‘BCC’ (blind carbon copy) method.
During their investigation the ICO discovered HIV Scotland had procured a new system back in July 2019 to enable bulk emails to be sent securely. However, at the time of the breach seven months later, they had failed to migrate the CAN email list over to the new email system. The charity still continued to use the ‘BCC’ method of emailing to the CAN list.
The BCC method of bulk email is open to human error. In this instance, the email addresses of recipients were mistakenly placed in the CC field instead of the BCC field.
The ICO’s Monetary Penalty Notice states HIV Scotland ‘failed to implement an appropriate level of organisational and technical security to its internal email systems’ which resulted in the breach of special category data.
Email breaches have happened before
The ICO considered that it had previously taken action against organisations for similar breaches. The risks of these kind of disclosures, and the consequences for the potential harm that might be caused to data subjects, are matters that had been reported on both mainstream and trade media.
The Charity’s Interim Chief Executive, Alastair Hudson, apologised unreservedly to anyone who had been affected by the data breach and said a new team and board of trustees had taken “robust steps” to improve information security.
The ICO recognised that HIV Scotland has completed procurement of the MailChimp email solution, implemented a training portal with mandatory UK GDPR training refreshed every year, and that it also took steps to try and mitigate the risks by asking all recipients to delete the email on the same day that it was sent. It has also added a message to its website.
ICO warns organisations about bulk emails
As a result of this case the ICO has issued a warning urging organisations to revisit their bulk email practices. This case should act as a reminder to organisations which handle special category or other sensitive data that their procedures, practices and technical measures need to be reviewed regularly to ensure they are fully up to scratch and don’t put people’s at risk from data being exposed.
What actions can we take?
Organisations which send bulk emails might wish to make sure:
- staff who handle email communications have received sufficient training
- you have appropriate and robust email procedures in place which staff should follow
- you regularly remind staff of the correct procedures
Clearly there is a risk, if you use the BCC method, email addresses could accidentally end up in the CC field rather than the BBC field, resulting in disclosure of personal data. The ICO is indicating this method of sending should be avoided. If you regularly send emails using the BCC method, you should look to implement a bulk email solution solution to prevent the risk of disclosing personal data to others.