Think before you send
Charities should ensure that all staff and volunteers understand the data protection risks associated with sending even a single email. These risks naturally multiply when distributing bulk emails. Yet even a single email sent in error can amount to a significant data breach and can lead to regulatory action, fines, litigation and reputational harm.
The charity HIV Scotland learnt this hard way in late 2021, when it was fined £10,000 by the Information Commissioner's Office (ICO) because of a 2020 data breach. The fine came after an individual in the charity sent out a single email containing personal information to over 100 people.
The member of staff who sent the email did so without using the blind carbon copy (bcc) function, which is a common data protection error. As a result, all the email addresses and some individual names were sent to all recipients.
HIV Scotland helps both people living with HIV, and those at risk of the disease. Given the sensitive nature of its work, recipients of the email could assume the HIV status or risk of the individuals whose details were disclosed. Medical data is classified as “sensitive data” under data protection law.
The ICO investigated the incident and found shortcomings in the charity's procedures. These included:
- Inadequate staff training.
- Incorrect methods of sending bulk emails by bcc.
- Inadequate data protection policy.
One particularly damning finding was HIV Scotland’s awareness of the data protection risks posed by its bulk emailing practices. However, it chose not to adequately address these risks. The ICO's investigation discovered that the charity had actually procured a more secure system for bulk messages months prior, after identifying bulk emails as a risk. However, it failed to implement the new system and continued with the unsecure method.
The regulator found this to be a "serious and negligent failure to take appropriate organisational and technical steps to reduce the possibility of an incident occurring".
The lesson here is that carrying out a data risk assessment without implementing new procedures could result in increased fines and regulatory criticism. Another lesson is the importance of practising what you preach. HIV Scotland was clearly aware of data protection issues when the charity publicly commented on a similar mistake involving a health board. The ICO took the view that the charity should have implemented adequate processes to mitigate similar risks.
HIV Scotland’s interim chief executive Alastair Hudson apologised unreservedly to those affected by the data breach and the charity took full responsibility. Following the fine imposed on HIV Scotland, the ICO urged all organisations to revisit their bulk email practices.
Ken Macdonald, head of ICO regions, said: “All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help. I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”
Smaller organisations are at heightened risk of committing data breaches. Local associations and smaller charities often have little in the way of data protection training or resources, and are run by voluntary staff who may use their own devices to send emails or messages. Many will be unaware of the bcc function in emails. Others may use WhatsApp in a way which exposes the details of individuals without their consent. Training and compliance processes are essential, as there’s no exemption from data protection laws for charities.
Most charities hold multitudes of sensitive data relating to the vulnerable people they support. Such information must not fall into the wrong hands or be misused. Unfortunately, many charities either aren’t fully aware of their obligations, or they simply haven’t taken the necessary steps to meet them.
HIV Scotland is not the first organisation to be fined for failing to use the bcc function. In 2018, the ICO fined the Independent Inquiry into Child Sexual Abuse £200,000 after a staff member sent an email directly to 90 inquiry participants, revealing emails and names in a highly sensitive context. Of the 90 addresses sent, 52 email addresses contained people’s full names, or had a name label attached.
Similarly to the HIV Scotland case, the ICO found that the inquiry had the existing tool to confidentially send a separate email to individual participants, but it failed to use it. The ICO found that the inquiry’s staff had inadequate training surrounding the bcc function.
Perhaps the wisest course of action is to use technical solutions specifically designed for group emails. Such software makes it impossible to accidentally share an individual’s email addresses with an entire group. Bulk mailing programmes can be easily set up and are simple to use.
Forgetting to send a group email via bcc is an easy mistake. This makes it all the more important for charities to adopt procedures, training and technical solutions to prevent it from happening.
Those worst affected by data breaches are often charities’ own supporters or beneficiaries. Such people may understandably feel reluctant to take action against charity. Yet holding organisation to account for data protection failures is often the only way to improve standards. The HIV Scotland case demonstrates that even when charities are aware of risks and have the means to obviate these risks, inertia can lead to protective measures being ignored.
As a result, vulnerable people can end up with their sensitive data publicly exposed, which can cause them significant anxiety or embarrassment, and might even lead to discrimination. The truth is that threat of regulatory intervention and fines can trigger organisations to take data protection more seriously. At the end of the day, such intervention serves to protect the privacy of vulnerable people while ensuring the continuation of the charity’s good work.
If the threat of regulatory action isn’t incentive enough, those individuals impacted by a data breach may also take legal action to receive compensation. Claimants could be entitled compensation for both “material damage”, such as financial losses, and also “non-material damage” for distress suffered due to the data breach.
A slew of such claims often follows an adverse ICO ruling relating to a significant data breach, since such a ruling has the effect of establishing civil liability, which makes the claimant’s task all the easier and means that the only issue to be decided is the level of compensation. The ICO is clear that it “cannot award compensation” and says: “We strongly recommend you take independent legal advice on the strength of your case before taking any claim to court.”
In the wake of Brexit, there are now two versions of the General Data Protection Regulation (GDPR) which UK charities need to have regard to. These are firstly the UK laws as set out in the Data Protection Act, 2018 (DPA 2018) which applies to the processing of UK residents’ personal data and secondly, the EU’s GDPR which continues to apply to organisations that process the personal data of EU residents.
The financial impact of a data breach can be devastating. The DPA 2018 enables the ICO to impose a maximum fine of £17.5 million or 4% of an organisation’s annual global turnover, whichever is greater. Meanwhile, the EU GDPR sets a maximum fine of whichever is greater, €20 million (about £18 million) or 4% of annual global turnover.
For charities responsible for a data breach, the costs of litigation will inevitably come on top of dealing with the regulator and paying any fines. A data breach can also cause serious reputational damage, reduced staff morale, a loss of contracts with third parties and a drying up of donations.
The ICO also has the power to temporarily or permanently ban an organisation from data processing. It can also suspend the right of a data processor to send data to third countries. Such orders could prevent some charities from operating. For some organisations, the indirect financial consequences of such orders could be far worse than the direct impact of a fine.
Despite the huge risks involved, data protection compliance is not a priority for many charities. Given the high stakes, data protection should be at the top of their agenda – especially in this era of increased ransomware and cyberattacks. Those charities with solid data protection regimes in place should make sure these are updated regularly and implemented in full, and that staff training is fully up to date. Even a single email error can easily lead to a data protection disaster.