ICO reprimands NHS Highland for disclosing identities of HIV patients

Written by PublicTechnology staff on 3 April 2023 in News

Regulator applies new approach to the public sector by issuing recommendations rather than a £35,000 fine

Credit: rawpixel.com/PxHere

The Information Commissioner’s Office has reprimanded NHS Highland for emailing a group of 37 HIV service users in a way that allowed recipients to see each other’s email addresses. The provider has avoided a fine under the ICO’s current preference to reprimand public sector organisations.

The email, a forwarded invitation to a meeting, was sent by NHS Highland on behalf of another undisclosed organisation on 13 June 2019. The organisation did not follow its policy of using blind carbon copy (BCC) for the 37 recipient email addresses, and most included first names and surnames or parts of these. 

The same day, a number of recipients called and one visited an NHS Highland clinic to tell the organisation that email addresses were visible and two later submitted formal complaints. One recipient was able to identify at least four other people, including a former sexual partner. The organisation spoke to 19 patients by telephone and emailed the rest to request they delete the email.

Related content

In its reprimand, the ICO told NHS Highland to review and update relevant policies; consider appropriate technical and organisational measures when sending group emails; and assess its training on data protection, including on how to send group emails. The organisation will provide the regulator with an update in three months.

“Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data,” said ICO deputy commissioner for regulatory supervision Stephen Bonner. “Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe.”

The ICO applied its public sector approach, announced in June 2022, under which the regulator will generally reprimand rather than fine public sector organisations given the effect can be to reduce budgets for those who have been victims of breaches rather than affect the perpetrators. It said that the reprimand was an alternative to fining NHS Highland £35,000. In a piece written recently for PublicTechnology sister publication Civil Service World, the information commissioner John Edwards said that this approach aims to provide support to help organisations change and get things right. 

Share this page




Please login to post a comment or register for a free account.

Related Articles

ICO urges Capita customers to ‘check their position’ after 90 organisations report data breaches
31 May 2023

Technology services firm has revealed two data-compromising incidents in recent week


MoJ reprimanded by ICO after ‘bags of confidential documents’ exposed for over two weeks
25 May 2023

Sensitive data was left unsecured in prison holding area, according to data watchdog

Interview: CDDO chief Lee Devlin on the ‘move from being disruptive to collaborative’
23 May 2023

In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...

Rochford District Council pins data breach on Capita’s ‘unsafe storage’
17 May 2023

Authority claims it is taking ‘swift and decisive action’ in response to incident it claims affected several councils

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...