ICO fines charity £10,000 for UK GDPR breach

On 22 October the Information Commissioner’s Office (ICO) fined an HIV charity £10,000 for a breach of the UK GDPR. According to the ICO, the charity failed to apply appropriate organisational and technical security measures to its internal email systems.

This decision - which comes just three months after the ICO fined another charity £25,000 for a sensitive data breach - provides key takeaways for production companies.

An email app on a phone shows unread messages

What happened?

In February 2020 the charity sent an email to 105 people using the CC function instead of the BCC function. This meant that the email addresses - 65 of which identified the recipients by name - were visible to all recipients.

Because of the nature of the email and the charity, the breach could lead to assumptions about individuals’ HIV status or risk (so while the email addresses themselves didn’t constitute special category data, special category data (relating to the recipients’ health) could be inferred).

The breach was identified immediately and the message was recalled, but it was impossible to determine how successful this was. The charity reported the incident to the ICO on the day it happened.

ICO’s decision

Although the charity had some organisational and technical security measures in place, the ICO decided that these weren’t enough.

In particular, the ICO found that the charity didn’t have a specific policy on the secure handling of personal data (instead, employees relied on the charity’s Privacy Policy, a public document which covered topics such as cookie use and data subject access rights).

The ICO also found that while the charity had procured a system which allowed bulk messages to be sent more securely seven months earlier, it hadn’t started using this and was continuing to use email.

Key takeaways for production

This decision has a number of key takeaways for production companies:

  • The ICO is continuing to crack down on organisations which don’t have sufficient safeguards in place to protect people’s data, particularly special category data.

  • It’s important to have an appropriate data protection policy in place which focuses on your team’s handling of personal data.

  • Individuals who handle personal data (particularly special category data) should be trained on how to do so before they’re given access to the data.

  • The use of email for sensitive communications can leave you exposed to a data breach. Messaging systems which include functionality for sending messages more securely can help to reduce the risk of information being shared with the wrong people.

  • It’s important to be aware of the dangers of collecting special category data via email. This includes health data (eg, vaccination data) and diversity data.

Further reading

For more information on the UK GDPR, check out our recent blogs:

To find out more about how POP’s tech can help you to keep your data secure, get in touch at hello@wegotpop.com.

Want to hear from us via our newsletter?

Sign up here