Chelsea and Westminster Hospital NHS Foundation Trust has been fined £180,000 after revealing the email addresses of more than 700 users of an HIV service. This was a classic case of putting all the email addresses of a large circulation group into the CC field so that all users saw everyone else’s email address.
Many of the email addresses would clearly identify individuals and therefore potentially reveal their HIV status to everyone else due to the nature of the email.
ICO essentially found two breaches of the seventh data protection principle:
- Failing to use an account that could send a separate email to each service user.
- Failing to provide staff with specific training on the importance of double checking that the group e-mail addresses were entered into the “bcc” field.
This possibly sends a confusing message. If staff had received “specific training on the importance of double checking that the group e-mail addresses were entered into the “bcc” field” but still made an error would there still have been a fine? Is that sufficient as an appropriate technical and organisational measures against unauthorised disclosure of personal data?
I would strongly argue that it is not, when dealing with the most sensitive of personal data as in this case. Well trained staff still make mistakes. In my view employers in this situation should apply poke-yoke principles and not allow this to happen. Such mailing lists MUST be handled by proper management software.
Applying that then it is arguable that the second heading should not have been cited as a causative breach, although it may perhaps have been an aggravating factor. The danger is that ICO findings may lead some to assume that either one of two preventative actions is sufficient even for extremely sensitive data. Using BCC should not be.