HIV Scotland Fine: Lessons Learnt

HIV Scotland has been fined £10,000 after the charity sent out an email containing the personal details of dozens of people.


Emails, bcc and breaches – the latest fine, and what to learn

Like buses, we have the second fine for a charity coming in quick succession following the £25,000 fine for Mermaids (see our five lessons to learn).

There are a number of similarities. Again, the size of the organisation wasn’t critical – it’s all about who you are and what you do with personal data that drives the ICO’s expectations.

And again, the ICO was at pains to highlight that the basic personal data (email addresses) can, in the right circumstances, enable people to reasonably infer something very sensitive about a person:

  • “An email address which clearly relates to an identified or identifiable living individual is considered to be personal data” (para 34).
  • “…the content of the email…combined with the identity of the organisation sending the email, does reveal information about the recipients. Namely, the receipts are identified as HIV Scotland CAN members… Consequently… special category data can be inferred to a reasonable degree in so far as the disclosure of the email addresses connects those individuals with an organisation that provides HIV support services.” (para 36).

However, there are some different lessons to learn from this fine:

  1. Completing transformation projects is important

HIV Scotland identified the use of normal email to distribute information as a “key organisational priority” in April 2019. They purchased Mailchimp in July 2019.

But despite identifying “the need for improvements to online mailings as early at ten months prior to the breach” it was “not adequately implemented by the time of the breach on 3 February 2020.”

Data protection is often pushed back for other priorities. But if you are sufficiently active and able to identify risks the ICO will, on the one hand, recognise your efforts (see lesson 2. below) but will understandably expect you to address them in a timely manner:

  • “…despite a clear recognition of the risks of the use of BCC, insufficient steps were taken quickly enough to prevent the disclosure of service users’ emails. This is despite a solution having already being procured and in use in regard to other areas of HIV Scotland’s estate. This represents a serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring.” (para 33d).


  1. Identifying risks is central to doing data protection well

The ICO noted how the procurement of Mailchimp demonstrated “that consideration of the improvements that could be made, specifically the security of email communications, was not entirely absent” (para 63)

This was one of the mitigating factors the ICO considered when deciding whether to issue a fine and, if so, the amount.

Equally, the ICO was critical of the fact that HIV Scotland, having identified the risk, did not update its existing guidance to staff around the use of BCC whilst the project was ongoing.

  • “…at the very least [they should have] put other measures in place such as not sending group emails out and sending such emails individually until MailChimp was fully implemented.” (para 55).

Identification and management of data protection risks is central to embedding data protection into business-as-usual processes.


  1. It was human error…but this didn’t stop the organisation being found at fault

This is often the first response to such breaches; and HIV Scotland first attributed the incident to “human error.”

It is true an employee made an error. And in this case, the ICO implies that the employee in question “had completed the ‘…GDPR & email use inc BCC for group emails’ (sic) awareness training.” (para 43).

So why was the organisation still found in breach?

  • Because all organisation have an obligation to implement “a level of security appropriate to the risk when processing data” and the ICO considered that, in this case, HIV Scotland “failed to implement a level of security appropriate to the risk” despite having “actively recognised the need for greater outbound mailing security” and procuring “a MailChimp account which, if implemented, would have mitigated the risk of a breach.”
  • However, it “failed to implement this level of security in relation to the [data] which, had it done so, would have significantly reduced the likelihood of the breach occurring.” (para 44).
  • Ultimately, the breach occurred “primarily as a result of serious deficiencies in HIV Scotland’s technical and organisational measures.” (para 31).


  1. When you provide training is critical

The Mermaids fine consider whether training was effective (see Lesson 5). In this case, the ICO looked at when training should be provided

HIV Scotland required all staff to complete online training on an annual basis. The ICO considered this “a weakness and a risk;” whilst noting that neither the DPA or GDPR state when training should be undertaken, the ICO stated they

  • “would expect an organisation to train employees handling personal data, and in particular data which is special category in nature or by inference before an individual is given access to such data.”
  • their current guidance “recommends that staff receive induction training prior to accessing personal data and within one month of their start date.” (para 33(c))


  1. Effective Breach management brings benefits

The ICO noted that HIV Scotland:

  • Identified the breach immediately.
  • Asked for the recipients to delete the email.
  • Contacted the ICO and completed a breach report on the same day as the incident.
  • Emailed all recipients with an apology from the Chief Executive.
  • Put a statement on their website.
  • Offered personal support in the event of any distress caused.
  • Decided to full audit all of its security and data management procedures.

As with having risk management within your organisation (lesson 2 above) HIV Scotland’s timely and detailed response to the breach was one of the mitigating factors the ICO considered when deciding whether to issue a fine and, if so, the amount.