The statement follows several data breaches, as well as concerns raised by some of the largest HIV organisations in the country.
In 2022/23, the most common source of data breach reports made to the Information Commissioner’s Office (ICO) was in the health sector, which made up more than a fifth of the total.
The statement comes after the ICO issued a fine of £7,500 to the Central YMCA of London after emails intended for those on an HIV support programme were sent to 264 addresses, using CC instead of BCC, thus revealing the information to all recipients. This resulted in 166 people being identifiable or potentially identifiable.
The ICO has previously issued fines or reprimands for data breaches affecting people living with HIV to charity HIV Scotland and health board NHS Highland. Both of these data breaches were due to mistakes in using BCC emails for sensitive communications – something the ICO called on organisations to stop last year.
The ICO is further calling for better staff training, appropriate technical procedures and prompt reporting from HIV services.
Advice to service providers
Organisations handling any sensitive personal data should ensure:
Staff are thoroughly trained: organisations should have data protection training in place that is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal information safely and securely. It must be clear to staff about what records they are allowed to access.
Appropriate technical measures are in place: appropriate measures, such as passwords and access controls, should be in place to ensure personal information can only be seen by people who need to use it.
Do not use BCC when sending bulk communications: failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved. While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. If organisations are sending any sensitive personal information electronically, or are contacting individuals regarding health-related matters, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services. Guidance on usage of BCC can be found here.
Staff are clear on the data breach reporting process: an organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information. This must be reported within 72 hours of becoming aware of the breach. You can find more information on breach reporting here. Personal information breaches must be treated seriously, and with the recognition that the individuals affected may have been denied the dignity and privacy we all expect when accessing healthcare services.
Further support
The ICO are always on hand to support organisations to make improvements in their data protection practices. View their online guidance for organisations here or contact the team by emailing [email protected] or on 0303 123 1114.
