Think twice before you send bulk emails, writes Kingsley Hayes, Head of Data Breach at Keller Lenkner UK. Even a single email can cause a significant data breach, which could result in regulatory action, fines and litigation.

The charity, HIV Scotland, was recently fined £10,000 by the Information Commissioner's Office (ICO) in the wake of a 2020 data breach. The fine came after the charity sent out an email containing personal information to over 100 people.

The member of staff who sent the email did so without using the blind carbon copy (bcc) function, which is an all-too common error when it comes to data protection. As a result of this error, all the email addresses and some individuals’ names were sent to all recipients.

HIV Scotland helps people living with HIV and those who are at risk of the disease; given the nature of the charity’s work, those who received the email could assume the HIV status or risk of those who’d had their details disclosed. Medical data is classified as sensitive data under data protection law.

‘Negligent failure’

In the wake of this data breach, the ICO - the UK’s data protection regulator - investigated the incident and found a series of shortcomings in the charity's email procedures. These included:

  • inadequate staff training
  • incorrect methods of sending bulk emails by bcc
  • inadequate data protection policy

One remarkable finding was that HIV Scotland was actually aware of the data protection risks which its rather casual bulk emailing practices posed. However, it chose not to adequately address these risks.

The ICO's investigation actually discovered that the charity had, in fact, procured a more secure system for bulk messages several months earlier, after correctly identifying the data protection risk. However, it nonetheless continued to use the insecure method.

The regulator found that there was a ‘serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring.’

Practice what you preach

The clear lesson for organisations is that carrying out a data risk assessment, but not actually implementing it, could result in increased regulatory disfavour. Another important lesson is that those in glass houses should not throw stones.

HIV Scotland had shown that it was aware of the impotence of data protection risks when it commented critically on a similar issue involving a Health Board. As such, the ICO took the view that the charity should have implemented adequate processes to prevent such an incident within its own organisation.

HIV Scotland’s interim chief executive Alastair Hudson apologised unreservedly to those affected by the data breach and stated that the charity took full responsibility for it. Following the fine imposed on HIV Scotland, the ICO is urging all organisations to revisit their bulk email practices. Ken Macdonald, Head of ICO Regions, said:

‘All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help. I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.’

There’s no exemption for small organisations

Smaller organisations are often particularly at risk of committing data breaches. Local clubs and charities often have little in the way of data protection training or resources, and are run by voluntary staff, who often use their own devices to send out group emails or texts quite casually. 

Many such volunteers will be unaware of the importance of using the bcc function at all. Training and compliant processes are essential, as there’s no exemption from data protection laws for smaller voluntary organisations, clubs or charities.

Charities often hold a lot of sensitive data. Often this relates to the vulnerable people they support and protect. This information must not fall into the wrong hands or be misused in any way. However, all too often, charities either aren’t aware of their obligations, or they simply haven’t taken the necessary steps to meet them.

Training is key

HIV Scotland is not the first organisation to be fined for failing to use the bcc function correctly. In 2018, the ICO fined the Independent Inquiry into Child Sexual Abuse £200,000 after a staff member sent an email on 27 February 2017 directly to 90 inquiry participants, thereby revealing emails and names. Again, this breach occurred in a highly sensitive context. Of the 90 addresses emailed, fifty-two email addresses contained people’s full names, or had a name label attached.

In a manner analogous to the HIV Scotland case, the ICO investigation into this matter found that the inquiry actually had a particular email account which would send a separate email to each individual participant, but it failed to use it.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

The ICO also found that the inquiry’s staff had not been given adequate guidance or training in terms of checking that email addresses were in the bcc field. Perhaps the wisest course of action is to always use technical solutions for group emails.

There are software packages which effectively make it impossible to accidentally share the group’s email addresses with an entire group. These bulk mailing programmes can be easily set up and are easy to use.

Forgetting to send a group email via bcc is an easy mistake to make. The very ease with which it can occur is precisely why organisations should adopt procedures, training and technical solutions which prevent it from happening.

Regulation works

Those who are affected by data breaches by charities are often their supporters, or those whom they are helping. Such people may understandably feel somewhat reluctant to take action against charities. Yet holding charities accountable for data protection failures is often the only way to improve standards. The HIV Scotland case demonstrates that even when charities know that a risk exists, and even when they have the means to obviate said risks, an organisational inertia can prevent those measures from being taken.

As a result, vulnerable people can end up having their sensitive data exposed publicly. The unfortunate truth is that it takes the threat of regulatory intervention for organisations to step up and meet their obligations in terms of data protection. At the end of the day, such intervention serves to protect the privacy of others, while also ensuring the continuation of the charity’s good work.

Claiming damages

Those who are impacted by a data breach may also take legal action to get compensation for the breach. Claimants may claim compensation for both ‘material damage’, such as actual financial losses, and also ‘non-material damage’, which may include the distress a person has suffered due to the data breach. Often, such claims come in the wake of an adverse ICO ruling, since such a ruling will often effectively establish liability, which makes the claimant’s task all the easier.

The ICO is clear that it ‘cannot award compensation’ and says, ‘We strongly recommend you take independent legal advice on the strength of your case before taking any claim to court.’

The stakes are high

To make matters more complicated, in the wake of Brexit, there are two versions of the General Data Protection Regulation (GDPR) which UK organisations must regard. These are the UK laws as set out in the Data Protection Act, 2018 (DPA 2018) which apply to the processing of UK residents’ personal data, while the EU’s GDPR continues to apply when processing the personal data of EU residents.

The DPA 2018 enables the ICO to impose a maximum fine of £17.5 million or 4% of an organisation’s annual global turnover, whichever is greater. Meanwhile, the EU GDPR sets a maximum fine of whichever is greater, €20 million (about £18 million) or 4% of annual global turnover.

Clearly, the financial impact of a data breach can be devastating. For organisations responsible for a data breach, the costs of litigation are in addition to the costs of dealing with the regulator and paying any fines which are imposed. Not only that, but a data breach can cause serious reputational damage, reduced staff morale and a loss of business.

The ICO also has the power to ban an organisation temporarily or permanently from data processing. It can also suspend the right of a data processor to send data to third countries. Such orders could completely prevent some companies from operating. For some organisations, the indirect financial consequences of such orders could be far worse than the direct impact of a fine.

Despite the huge risks involved, many organisations still have data protection compliance somewhere on a ‘to do’ list. Given how high the stakes are, they should consider moving it to the very top of that list. Those organisations with a solid data protection regime in place should make sure that it is updated and implemented in full and that staff are fully trained.

As the HIV Scotland case reminds us, even a single email error can lead to disaster.