The Information Commissioner’s Office (ICO) has issued a monetary penalty notice to the YMCA in the sum of £7,500 for a breach of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.
Background
The YMCA runs a number of community programmes, including the Positive Health Programme (Programme). The Programme is an exercise scheme for people living with HIV. As part of the Programme, the YMCA collects special category data including the aims of referral to the Programme, the date of HIV diagnosis, any medication taken and medical history.
On 6 October 2022, a co-ordinator for the Programme sent an email to 270 recipients inviting them to a talk about nutrition as part of the Programme. Instead of sending the email using the BCC function on Microsoft Outlook (in line with YMCA’s policy for sending invites under the Programme), the email was sent using the CC function and therefore revealed the email addresses of all 270 recipients.
On 7 October 2022, the co-ordinator realised the error and used the recall function to try and recall the email that had been sent. This led to a further email to all 270 recipients.
The YMCA assessed the list of recipients and determined that only 115 of the email addresses had clear names in them. A further 51 contained part of a name and were therefore potentially identifiable. 166 data subjects were therefore identifiable (or potentially identifiable) and therefore affected by the breach.
In addition to the above, given the content of the email invite, recipients could infer from its contents that the 166 individuals whose email addresses were disclosed were likely to be living with HIV. This is special category data under Article 9(1) of the UK GDPR.
Following discovery of the breach, the YMCA acted promptly and reported the breach to the ICO within the 72-hour period prescribed by Article 33 of the UK GDPR. They also notified the affected data subjects on 10 October 2022.
Decision
The ICO found that the YMCA were in breach of Article 5(1)(f) of the UK GDPR as they had failed to process the personal data “in a manner that ensures appropriate security of the data…” The ICO referred to the following failures in the penalty notice:
- Not having a written policy or procedure in place in relation to the sending of group emails;
- Inappropriately relying on the use of BCC to send group emails;
- Not providing data protection training specific to employee’s roles;
- A lack of awareness of data protection legislation in some parts of the organisation; and
- Not effectively monitoring completion of data protection training.
The ICO ultimately concluded that the breach was sufficiently serious to justify issuing a significant fine. When deciding upon the level of the fine, the ICO looked at a number of different factors.
The ICO determined that the breach was of a serious nature given the disclosure of special category data and the YMCA’s failings as set out above. The ICO did acknowledge that the YMCA had taken steps to try and mitigate the loss by notifying the data subjects, by attempting to recall the email and by providing feedback to staff about the approach taken. A monetary penalty of £7,500 was imposed.
Comment
The above is a reminder for all organisations to ensure that they have measures in place to ensure the appropriate security of personal data. In particular, organisations should ensure that their staff are thoroughly trained and that completion of such training is being monitored. Organisations should also refrain from using “BCC” when sending bulk emails.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us