back to article ICO slaps HIV support group with £250 fine following email blunder

An HIV support group responsible for inadvertently revealing patient identities via an email blunder has been slapped with a £250 fine by the Information Commissioner's Office. The Bloomsbury Patient Network sent out a newsletter to 200 patients via email using a list of addresses in the "to" field rather than the "bcc" field …

  1. Dan 55 Silver badge

    In this case perhaps it would be better if the ICO could constructively help and come back later to see if action has been taken instead of fining them. There are a whole lot of NGOs and small companies for which a carrot is better than a stick.

    1. Vimes

      The problem is the ICO only seems to show the carrot to the very people that need the stick.

      Look at Talk Talk and the repeated problems theere, and the lack of action from the ICO as a result of the issues.

      1. Alan Brown Silver badge

        Carrots

        The ICO only uses the stick on outfits which are highly unlikely to lawyer up and challenge them.

        The last time they misjudged that, the fines got poleaxed by a district court judge. They should have appealed it but didn't.

        The chances of Talk Talk being issued with maximum fines (or any fines) are inversely related to their legal budget.

    2. graeme leggett

      I think the idea, like with HSE, fire brigade, etc is that you go to them for advice etc before shit hits fan rather than advice after you've cocked up.

      It's the directors' (trustees) responsibility to be aware of all legislation that affects the business (charity) whether that be a safe place of work, insurance or not spreading sensitive information.

      There is something to be said for making an example of even smallest organizations to encourage others to do what is right and head off worst cases.

  2. DaLo

    "We need to send a clear message: no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data,”

    By the way El Reg how did your ICO investigation go?

    El Reg in SHOCK email address BLUNDER

    1. Anonymous Coward
      Anonymous Coward

      El Reg (Situation Publishing) is not on the ICOs list of civil penalties issued nor does it appear in the enforcement list (undertakings, prosecutions etc)

      1. Anonymous Coward
        Anonymous Coward

        Did they inform the ICO or just the readers?

        1. DaLo

          The article states "We are in the process of blowing the whistle on ourselves to the ICO over the matter."

          That doesn't mean they necessarily did contact the ICO, just that they were in the process of doing it.

  3. Anonymous Coward
    Anonymous Coward

    It's 2016 for cripes sake....

    can we please get an email client that doesn't allow you to do stuff like this?

    1. Anonymous Coward
      Anonymous Coward

      Re: It's 2016 for cripes sake....

      I know Exchange can limit the number of recipients, so I expect other mail servers can impose a limit. But I doubt Exchange discriminates between To, CC and BCC - it's only interested in limiting absolute numbers of addressees.

      Outlook as a standalone doesn't appear to limit the number of addresses. Perhaps it could be programmatically "I notice your To: list for this email is a distribution group or exceeds 20 names - are you sure you want to do it this way and not use BCC?" Options are 'No', and 'Dear [deity] no, what was I thinking!'

      1. caffeine addict

        Re: It's 2016 for cripes sake....

        Yeah, a limit of 10 in TO or CC fields would help.

        A limit of 50 in BCC fields might get people to actually use proper mailers with proper unsub functionality too.

    2. Bucky 2

      Re: It's 2016 for cripes sake....

      You're blaming the hammer for the actions of the carpenter.

      My first thought was: Who can be THAT unfamiliar with how email works?

      1. Doctor Syntax Silver badge

        Re: It's 2016 for cripes sake....

        "Who can be THAT unfamiliar with how email works?"

        Most users AFAICS.

        1. David Roberts

          Re: It's 2016 for cripes sake....

          Most email users (especially the nearly 50% below average intelligence) probably haven't even heard of BCC let alone know what the acronym stands for.

          Charities especially should make it a priority to brief all volunteers on committees about the risks of exposing email addresses.

          I know of at least one which doesn't.

          Not really surprising if the majority of staff members are recruited for their public facing "touchy feely" skills and IT is a sort of bolt on afterthought with a lot of functions outsourced to 3rd parties. Quite possibly there may be nobody truly IT literate within the organisation.

          Data Protection is used as a mantra for not doing stuff which might cost money but there is probably no true awareness throughout the company {allegedly}.

          A few more incidents and fines and this might filter through - if this is reported widely enough in the popular press and not just in the "techical" press.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's 2016 for cripes sake....

            Data Protection requirements and how it affects your job ought to be one of the the things explained to you on your first day.

            Somewhere after "this is where the fire exit is" and "this is your desk" but before "I'll take you to meet Bob in finance, he'll explain the project to you".

    3. Vic

      Re: It's 2016 for cripes sake....

      Not here it isn't...

      Vic.

  4. CAPS LOCK

    " ... a fine of four per cent on their global turnover ..."

    That's interesting. I wonder how it will go the next time, say, the Crown Prosecution Service loses an unencrypted memory stick?

    "That'll be 4 percent of the turnover of HMG please "

    1. Anonymous Coward
      Anonymous Coward

      Re: " ... a fine of four per cent on their global turnover ..."

      HMG isn't a corporation, though come back in 4 years and see if it has become like the East India Company, run by Serco or Capita.

    2. Anonymous Coward
      Holmes

      Re: " ... a fine of four per cent on their global turnover ..."

      HMG loses so much money every year that the fine would probably be MINUS £25 Billion.

      1. Pen-y-gors

        Re: " ... a fine of four per cent on their global turnover ..."

        "HMG loses so much money every year that the fine would probably be MINUS £25 Billion."

        Great - a few decent leaks and the deficit is sorted...

  5. Disgruntled of TW
    WTF?

    Experian, Equifax and Callcredit

    Let the 4% good times roll ... they are all guilty of negligence in maintaining their database, and are not being held to account. They should not be able to sell their database which we clean for them, at our intense discomfort when they cock up. A 100% fail for us when they get it wrong, is a 0.000001% fail for them.

  6. Phil Endecott

    Suspended sentence

    How about this idea:

    "You trustees are each sentenced to a fine of £100,000, suspended for 10 years.

    "During those ten years you will be supervised by a probation officer who will make unannounced visits to your premises. If they find that you are storing your patient data in a system from which it may be copied-and-pasted or otherwise exported in bulk, or if they find that your email system is configured to allow messages to be sent to large numbers of recipients without multiple levels of confirmation and a time-delay, you will be liable to pay the fine in full."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like