We wrote last year about the breach suffered by the Dean Street HIV clinic – when a member of staff accidentally entered the 781 email addresses into the “to” field instead of the blind carbon copy (“bcc”) field when sending the Clinic’s newsletter.
This meant recipients of the e-mail could therefore see the email addresses of all the recipients – and infer their HIV status, or spread the email further, or use social media and search engines in order to try and identify the individuals.
At the time “human error” was put forward as the cause…the ICO has now concluded otherwise…
Lessons to learn
(1) It was not human error
It is normally the poor employee or volunteer who lost the file, had their laptop stolen or (in this case) sent the email that gets labelled as the human at error.
But as we suggested last year, the true error could be seen as higher up the chain of responsibility: there was a seeming lack of recognition of the risks posed by cutting and pasting 700+ emails into a standard email each time you wanted to send a newsletter about HIV.
The ICO also follows this logic. The ICO concluded that the Clinic “knew or ought reasonably to have known” that there was a risk of the breach occurring – because (1) they must have been aware there was a risk that staff could enter the email addresses into the wrong field of the email (2) they should have recognised that such a breach would be likely to cause substantial distress and (3) a similar breach had occurred five years earlier.
The ICO considered whether these breaches “could be characterised as one-off events or attributable to mere human error.” The ICO’s conclusion? No. The ICO did “not consider that the contravention could be characterised in those ways.” The breach resulted from an overall lack of recognition of the risks faced and their possible impacts, resulting in inappropriate controls being in place to manage the distribution of the newsletter.
Lessons to learn: Assess and understand the risks associated with the collection and use of all personal information by your organisation.
(2) You do have choice in how to manage risk
The ICO considered whether the Clinic had taken “reasonable steps” to reduce the risk of a breach.
The ICO outlines two possible steps that could have been taken:
- Using a distribution system that sent a separate email to each service user – without the need to cut and paste the emails each time, or
- Provide specific training on the “importance of double checking that the group email addresses were entered into the “bcc” field”
The important point to note here is that the ICO is not mandating whether 1. (a technical solution) or 2. (an organisational measure) is preferable – just that if either had been in place, the Clinic could have demonstrated that it (a) recognised the risks and (b) was taking some action to try and reduce them.
Lesson to learn: make decisions about whether you either accept each identified risk or, if not, decide how you plan to mitigate them. Then ensure you deliver the practical solutions in order that staff have appropriate tools to do their jobs.
(3) Recognise the value of all the personal information you handle
This breach provides an answer to an age-old question – “does an email address count as personal data?”
The simple answer is yes, it can. An email can contain your name; and this breach demonstrates that when email addresses are held in relation to a sensitive service…which serves a small geographical area…in this day and age of social networks and internet search engines, they can be very personal, because they could enable people to “infer the HIV status” of the recipients.
So the email address, in this case, should have been recognised as sensitive personal information – and afforded suitable protection. The same might be said of any information held by an organisation where association with that organisation, in any way, would divulge something sensitive about individuals – e.g. anything health related; past or present criminal convictions; religious belief. And more broadly, the reputational impact of mishandling large volumes of less sensitive information would still be significant.
Lesson to learn: ensure that decisions about assessing the value of information – even “just email addresses” – are taken at a senior level by those who know the values, aims and objectives of the organisation and can articulate the reputational impact that a breach may have for those associated with it (e.g. donors; service users; high value individuals; celebrities).
(4) Training remains important
All organisations have an obligation under data protection law to ensure those who handle personal information are “reliable” – i.e. that they are provided with suitable training.
In this case – as outlined above – the provision of suitable training was one possible way of reducing the risk of the breach occurring. But despite a similar breach occurring in 2010, the Clinic did not provide specific training to the staff who distributed the Clinic’s newsletter.
Training does not have to be the same for all staff – it can vary depending on the volume and sensitivity of personal information the staff member handles; the frequency with which they handle it; their seniority and responsibilities. But having some training plan in place, which you can explain and justify, is critical.
Lesson to learn: Ensure you provide suitable data protection training to all staff and volunteers who handle personal information.