Credit: rawpixel.com/PxHere

The Information Commissioner’s Office has reprimanded NHS Highland for emailing a group of 37 HIV service users in a way that allowed recipients to see each other’s email addresses. The provider has avoided a fine under the ICO’s current preference to reprimand public sector organisations.

The email, a forwarded invitation to a meeting, was sent by NHS Highland on behalf of another undisclosed organisation on 13 June 2019. The organisation did not follow its policy of using blind carbon copy (BCC) for the 37 recipient email addresses, and most included first names and surnames or parts of these. 

The same day, a number of recipients called and one visited an NHS Highland clinic to tell the organisation that email addresses were visible and two later submitted formal complaints. One recipient was able to identify at least four other people, including a former sexual partner. The organisation spoke to 19 patients by telephone and emailed the rest to request they delete the email.

Related content

• HMRC chief signs off on £200m plan to address areas of ‘greatest risk’ to data protection
• ICO chief: “We are not ‘going easy’ on government”
• EXCL: Cabinet Office alerted to data breach – and fails to respond for 10 days

In its reprimand, the ICO told NHS Highland to review and update relevant policies; consider appropriate technical and organisational measures when sending group emails; and assess its training on data protection, including on how to send group emails. The organisation will provide the regulator with an update in three months.

“Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data,” said ICO deputy commissioner for regulatory supervision Stephen Bonner. “Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe.”

The ICO applied its public sector approach, announced in June 2022, under which the regulator will generally reprimand rather than fine public sector organisations given the effect can be to reduce budgets for those who have been victims of breaches rather than affect the perpetrators. It said that the reprimand was an alternative to fining NHS Highland £35,000. In a piece written recently for PublicTechnology sister publication Civil Service World, the information commissioner John Edwards said that this approach aims to provide support to help organisations change and get things right.