The ICO has fined the YMCA £7,500 for sending an email to over 150 identifiable addressees, using Cc rather than Bcc and therefore revealing the identity of the other addressees to the email. The email was addressed to those participating in a programme for people living with HIV and therefore it could be inferred that it was likely they had HIV.
The ICO found the following key areas where the YMCA failed to take reasonable steps to prevent the breach.
- There was no written policy in place in relation to the sending of group emails
- They failed to use an email marketing platform which would have reduced the likelihood of a disclosure
- Completion of data protection training was not monitored
- There were deficiencies in the YMCA’s data protection training
The starting point for the fine was £300,000 in light of the seriousness of the breach but was reduced to £7,500 on the basis of the “Commissioner’s current policy”, referring to the public sector approach (preferring working with the public sector to encourage compliance, issuing fines only where they are “truly needed”). The ICO made reference to the enforcement action in its wider note raising awareness about persistent breaches which are failing people living with HIV.
The full penalty notice can be found here and the ICO’s statement on breaches involving HIV information can be found here.
