By Lucy Caulkett-
The Central Young Men’s Christian Association (Central YMCA) has been fined £7,500 by the Information Commissioner’s Office (ICO) after inadvertently revealing sensitive data about hundreds of individuals living with HIV.
The breach occurred when the London-based charity sent an email using the carbon copy (CC) function instead of blind carbon copy (BCC), thereby exposing the email addresses of 166 individuals participating in a programme for people living with HIV.
The email, sent in October 2022 by a coordinator for the Positive Health Programme, inadvertently disclosed the email addresses of 166 individuals out of 270 recipients.
These email addresses could potentially identify the individuals as living with HIV, constituting a breach of data protection regulations.
The ICO originally considered a fine of £300,000 but later reduced it to £7,500, along with issuing a formal reprimand to Central YMCA.
Ryan Palmer, CEO of Central YMCA, acknowledged the breach, stating that the charity reported the incident to the ICO and notified all affected users.
He emphasized that the charity has strengthened its internal procedures and staff training to prevent similar breaches in the future.
Information Commissioner John Edwards underscored the importance of safeguarding the privacy of individuals living with HIV, emphasizing the need for better training, prompt reporting of breaches, and ending the use of CC for sensitive communications.
Edwards emphasized the detrimental impact of data breaches on the lives of those affected, including exposure to stigma and prejudice.
The incident highlights the critical need for organizations to prioritize data protection and ensure compliance with regulations to safeguard sensitive information and maintain the trust of their users.
The Information Commissioner’s Office said today the charity, which provides education, health and wellbeing and runs the largest gym in central London, had sent messages to 264 people using the CC field, with 166 being potentially identifiable.
The ICO said the fine was initially recommended to be £300,000 but had been reduced in line with its approach to levy smaller fines against public sector bodies and use other enforcement powers such as reprimands instead.
The regulator called for “urgent improvements” to organisations, including charities, that handle sensitive data belonging to people with HIV, after a series of data breaches.
It made reference to its 2021 decision to fine HIV Scotland £10,000 after the charity sent an email with all recipients’ addresses visible to 105 people, including patient advocates representing people living in Scotland with HIV.
John Edwards, the Information Commissioner, said people living with HIV across the UK were being “failed across the board” on privacy and urgent improvements were needed.
He said in a statement: “We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid,” he said.
“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.
“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected.
“We are making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
Ryan Palmer, chief executive of the Central YMCA, said the charity reported the data breach to the ICO and notified everyone who had been affected.
“The breach took the form of a single email in which the CC function was used instead of the BCC function due to human error,” he said.
“The use of BCC for group emails was not in line with Central YMCA’s internal procedures, for which normal process is to use a bulk mail platform as recommended by the ICO.
“We have since strengthened awareness of our internal procedures and the tools available within the charity.
“We have also strengthened our approach to ensuring all staff and volunteers complete our mandatory data protection training to safeguard personal data processed by the charity.
He said people affected by the breach had been “supportive to the charity and recognised the human error that led to this situation”.
He added: “We are absolutely committed to safeguarding the information we collect to deliver our services and recognise the consequences personal data breaches can have on those affected.
“We are committed to continuously improving our internal processes and ensuring all staff and volunteers are aware of their responsibilities.”