ICO Fines Charity £10,000 for UK GDPR Breach

On 22 October 2021 the Information Commissioner’s Office (ICO) fined an HIV charity £10,000 for a breach of the UK GDPR. According to the ICO, the charity failed to apply appropriate organizational and technical security measures to its internal email systems.

This decision - which comes just three months after the ICO fined another charity £25,000 for a sensitive data breach - provides key takeaways for production companies.

What happened?

In February 2020 the charity sent an email to 105 people using the CC function instead of the BCC function. This meant that the email addresses - 65 of which identified the recipients by name - were visible to all recipients.

Because of the nature of the email and the charity, the breach could lead to assumptions about individuals’ HIV status or risk (so while the email addresses themselves didn’t constitute special category data, special category data (relating to the recipients’ health) could be inferred).

The breach was identified immediately and the message was recalled, but it was impossible to determine how successful this was. The charity reported the incident to the ICO on the day it happened.

ICO’s decision

Although the charity had some organizational and technical security measures in place, the ICO decided that these weren’t enough.

In particular, the ICO found that the charity didn’t have a specific policy on the secure handling of personal data (instead, employees relied on the charity’s Privacy Policy, a public document which covered topics such as cookie use and data subject access rights).

The ICO also found that while the charity had procured a system which allowed bulk messages to be sent more securely seven months earlier, it hadn’t started using this and was continuing to use email.

Key takeaways for productions

This decision has a number of key takeaways for production companies: 

• The ICO is continuing to crack down on organizations which don’t have sufficient safeguards in place to protect people’s data, particularly special category data.
• It’s important to have an appropriate data protection policy in place which focuses on your team’s handling of personal data. 
• Individuals who handle personal data (particularly special category data) should be trained on how to do so before they’re given access to the data. 
• The use of email for sensitive communications can leave you exposed to a data breach. Messaging systems which include functionality for sending messages more securely can help to reduce the risk of information being shared with the wrong people. 
• It’s important to be aware of the dangers of collecting special category data via email. This includes health data (eg, vaccination data) and diversity data. 

For more information on how to secure your production data, check out our guide to information security.