A charity has been fined £7,500 and issued with a reprimand from the Information Commissioners Office (ICO) for revealing the email addresses of 166 people living with HIV.

The Central YMCA had sent an email relating to an HIV support programme to 264 people.

But rather than using BCC, it used CC, which revealed the email addresses to all recipients.

This meant that 166 people could be identified or potentially identified from their email address, and it could be inferred that all were likely to be living with HIV, said the ICO.

While an initial fine of £300,000 was considered, this was reduced and a formal reprimand was issued by the ICO, as part of its policy to avoid large fines for those delivering public services.

This latest breach is one of a number where the privacy of people living with HIV has been compromised, warns the regulator.

It has previously issued fines and reprimands to the charity HIV Scotland and public sector body NHS Highland for data breaches involving those living with HIV. Both were also due to mistakes using BCC emails for sensitive communications.

The ICO is calling for improvements among all organisations handling HIV patients' data and is working with charities to see how sensitive information can be better protected.

🆕 People living with HIV are being denied “basic dignity and privacy” by repeated data breaches that disclose their HIV status.

John Edwards has condemned data protection standards at health services and called for urgent improvements: https://t.co/y0C8x0GGAD pic.twitter.com/r8kldb5BR0

— ICO - Information Commissioner's Office (@ICOnews) April 30, 2024

“People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK,” said Information Commissioner John Edwards.

“We have seen repeated basic failures to keep their personal information safe - mistakes that are clear and easy to avoid.

“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.

“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.

Measures being taken include better data protection training, advice on prompt reporting of breaches and ending the use of BCC for sensitive communications to help avoid future mistakes.

Charity leader support

The ICO’s measures have been backed by charity leaders supporting people living with HIV.

“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent risk of further discrimination and harassment,” said National AIDS Trust policy, research and influencing manager Adam Freedman.

“Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.

“We are pleased to see the ICO recognising the detrimental impact such data breaches can have on people living with HIV, and welcome this much needed intervention.”

Jacquie Richardson, chief executive of Northern Ireland HIV charity, Positive Life, said:
“This warning from the Information Commissioner should remind all of us that someone’s HIV status requires sensitivity and discretion at all times.”

She added: “This serves as a timely reminder of the importance of patient confidentiality and privacy.

"Here in Northern Ireland, stigma around HIV still carries a huge burden. Our service users tell us of the worry of being seen or overheard in any setting in which they need to disclose their status, and the fear of how they will be treated as a result.”

---