Central YMCA has been fined £7,500 for sending emails about an HIV support programme to more than 260 addresses using a field that could be seen by all recipients.
The Information Commissioner’s Office said today the charity, which provides education, health and wellbeing and runs the largest gym in central London, had sent messages to 264 people using the CC field, with 166 being potentially identifiable.
The ICO said the fine was initially recommended to be £300,000 but had been reduced in line with its approach to levy smaller fines against public sector bodies and use other enforcement powers such as reprimands instead.
The ICO, which said the fine had been paid in full by the charity, has also issued a formal reprimand to the Central YMCA over the incident.
The regulator has used the announcement to call for “urgent improvements” to organisations, including charities, that handle sensitive data belonging to people with HIV, after a series of data breaches.
It highlighted its 2021 decision to fine HIV Scotland £10,000 after the charity sent an email with all recipients’ addresses visible to 105 people, including patient advocates representing people living in Scotland with HIV.
John Edwards, the Information Commissioner, said people living with HIV across the UK were being “failed across the board” on privacy and urgent improvements were needed.
“We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid,” he said.
“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.
“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected.
“We are making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
Ryan Palmer, chief executive of the Central YMCA, said the charity reported the data breach to the ICO and notified everyone who had been affected.
“The breach took the form of a single email in which the CC function was used instead of the BCC function due to human error,” he said.
“The use of BCC for group emails was not in line with Central YMCA’s internal procedures, for which normal process is to use a bulk mail platform as recommended by the ICO.
“We have since strengthened awareness of our internal procedures and the tools available within the charity.
“We have also strengthened our approach to ensuring all staff and volunteers complete our mandatory data protection training to safeguard personal data processed by the charity.
He said people affected by the breach had been “supportive to the charity and recognised the human error that led to this situation”.
He added: “We are absolutely committed to safeguarding the information we collect to deliver our services and recognise the consequences personal data breaches can have on those affected.
“We are committed to continuously improving our internal processes and ensuring all staff and volunteers are aware of their responsibilities.”
– This article was updated on 30 April 2024 to include a response from Central YMCA