The ICO has fined a Scottish charity £10,000 for an email data breach. An email was sent to 105 people, including patient advocates living in Scotland with HIV, and more than half of the email addresses identified people by name.
The ICO said that as assumption could be made about individual’s HIV status or risk from the personal data in the emails.
The ICO investigation found shortcomings which included:
- inadequate staff training
- incorrect methods of sending bulk emails, despite a more secure system being purchased seven months previously but not used
- inadequate data protection policy
An ICO representative said “I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
What actions should you take? Do consider asking about our newly updated Data Protection Review, which now includes more on cyber security from the NCSC and covers exactly these issues.