Sending emails can be a risky business, especially when it comes to group emails. The charity HIV Scotland was recently fined £10,000 by the Information Commissioner's Office (ICO) following a 2020 data breach. The fine came after the charity sent out an email containing personal information to over 100 people.

The email was sent without using the blind carbon copy (bcc) function, which is an all-too common error when it comes to data protection. This meant that all email addresses and many names were visible to all recipients. HIV Scotland helps those living with HIV, or who are at risk of the disease. Given the nature of its work, those who received the email could assume the HIV status or risk of the people who had their details disclosed.

Inadequate training

Following the breach, the ICO investigated the incident and found a series of shortcomings in the charity's email procedures. These included:

• Inadequate staff training
• Incorrect methods of sending bulk emails by bcc
• Inadequate data protection policy.

Remarkably, HIV Scotland was actually aware of the data protection risks its emailing practices posed, but chose not to adequately address them. The ICO's investigation found that the charity had in fact procured a more secure system for bulk messages several months prior, after identifying the risk. However, it nonetheless continued to use the unsecure method. The regulator therefore found that there was a "serious and negligent failure to take appropriate organizational and technical steps to reduce the possibility of an incident occurring".

Ironically, HIV Scotland had shown it was aware of data protection risks when it commented critically on a similar issue involving a Health Board. As such, the ICO took the view that the charity should have implemented adequate processes to prevent such an incident within its own organization. It should have practiced what it preached.

HIV Scotland’s interim chief executive Alastair Hudson did apologize unreservedly to those affected by the data breach and stated that the charity took full responsibility for it. Following the fine, the ICO is urging all organizations to revisit their bulk email practices. Ken Macdonald, Head of ICO Regions, said:

“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help. I would encourage all organizations to revisit their bulk email policies to ensure they have robust procedures in place.”

Organizations particularly at risk of committing such data breaches include smaller organizations, such as local clubs, charities or societies. These often have little in the way of training or resources, and are often operated by voluntary staff, who send out group emails or texts quite casually. Many such volunteers will be unaware of the importance of using the bcc function with care. Training and proper processes are essential, as there is no exemption from data protection laws for smaller voluntary organizations, clubs or charities.

Charities hold sensitive data

Charities hold a great deal of sensitive data. Often this relates to the vulnerable people they support. This information must not fall into the wrong hands or be misused in any way. However, all too often, charities either aren’t aware of their obligations or don’t do enough to ensure that they meet them.

HIV Scotland is not the first organization to be fined for failing to use the bcc function correctly. In 2018, the ICO fined the Independent Inquiry into Child Sexual Abuse £200,000 after a staff member sent an email on 27 February 2017 directly to 90 inquiry participants, thereby revealing emails and names. Of the 90 email addresses circulated, fifty-two emails contained people’s full names, or had a name label attached which identified the person.

Similarly to the HIV Scotland case, the ICO investigation found that the inquiry had set up a particular email account which could send a separate email to each individual participant, but it failed to use it. The ICO also found that the inquiry’s staff had not been given adequate guidance or training as regards to checking that email addresses were in the bcc field. Perhaps the wisest course of action is to always use technical solutions for group or bulk emails that make it impossible to accidentally share the groups email addresses and names of the entire group.

Forgetting to send a group email via bcc is an easy mistake to make, which is precisely why organizations should adopt procedures, training and technical solutions which prevent it from happening.

Those affected by data breaches committed by charities are often their supporters, or those whom they are helping. Such people may therefore be understandably reluctant to take action against charities. Yet holding charities to account for data protection failures is often the only way to improve standards and protect the privacy of others.