The UK’s Information Commissioner’s Office (ICO) has called for “serious improvements” to data protection processes for organizations handling information on HIV sufferers, after reprimanding an NHS body.
It said NHS Highland emailed 37 people likely to be accessing HIV services, but mistakenly used the CC rather than BCC function, exposing their details to each other.
According to the ICO, one person confirmed that they recognized four other individuals on the email list, one of whom was a previous sexual partner. Two patients submitted formal complaints to NHS Highland, with one of them making more than one complaint.
NHS Highland escaped a £35,000 fine in line with the regulator’s new lighter-touch approach with public sector bodies, but the ICO slammed the health board for a “serious breach of trust.”
It also used the opportunity to remind any organization handling highly sensitive information of this sort that they must take extra care.
ICO deputy commissioner for regulatory supervision, Stephen Bonner, argued that HIV service providers must set the highest standards in data protection.
“The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organizations dealing with this type of information should take the utmost care with their personal data,” he added.
“Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organizations to raise their data protection standards and put the appropriate measures in place to keep people safe.”
As part of the reprimand, NHS Highland will now have to review data protection and email policies, including the use of group emails, and use the “appropriate technical and organizational measures” when sending group emails containing highly sensitive information. It should also consider running an internal UK GDPR training compliance assessment, the ICO said.