NHS Highland has been issued with a reprimand from the Information Commissioner’s Office (ICO) for a “serious” data breach involving people likely to be accessing HIV services.

The ICO said that there was “simply no excuse” for the breach, calling for extensive improvements to data protection safeguards amongst HIV service providers.

A formal reprimand was issued to NHS Highland, one of fourteen regions of NHS Scotland, after it emailed 37 people likely to be accessing HIV services, inadvertently using CC (carbon copy) instead of BCC (blind carbon copy).

The mistake meant that those receiving the email could see the personal email addresses of others getting the email, with one person confirming they recognised four other individuals, one of whom was a previous sexual partner.

The ICO decided to apply its public sector approach, instead of issuing a £35,000 fine for the mishap.

Its recommendations have been included in NHS Highland’s Information Governance Action Plan, with an update being provided to the body in June 2023.

Data from the ICO shows that failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with a nearly one thousand reported since 2019.

Under existing data protection law, organisations must have appropriate technical and organisational systems in place to make sure personal data is kept safe and not inappropriately disclosed to others.

“The stakes are just too high,” said Stephen Bonner, ICO deputy commissioner – regulatory supervision. “Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.”

Bonner added that every HIV service provider in the UK should see this case as a "crucial learning experience".

Share Story: