All organisations are being urged to revisit their bulk email policies after a data protection breach led to the charity HIV Scotland being fined £10,000.
The Information Commissioner’s Office fined the charity after it sent a bulk email to 105 people in February 2020.
The email contained the agenda for an event of HIV Scotland’s Community Advisory Network, which brings together patient advocates from across the country.
However, the email used the carbon copy (CC) rather than the blind carbon copy (BCC) feature, meaning everyone who received the email could see the other recipients.
The email addresses could identify 65 people by name, and the ICO said an assumption could be made about their HIV status or risk based on this.
HIV Scotland contacted the ICO and submitted a data breach report on the same day as the incident.
The charity’s chief executive apologised to all those involved in the breach, with the mistake being put down to “human error”.
An ICO investigation found shortcomings in the charity’s email procedures and inadequate staff training.
It found that the charity had procured the Mailchimp system to send secure emails in July 2019, but had not fully implemented it at the time of the data breach.
The ICO’s ruling said this “represents a serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring”.
Ken Macdonald, head of ICO Regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care.
“This avoidable error caused distress to the very people the charity seeks to help.
“I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”