This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.

The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Data breach leads to £10k fine for Scottish charity

This news post is over 2 years old

A new team and board of trustees have now taken "robust steps" to improve information security

A prominent Scottish charity has been fined £10,000 for a data protection breach.

The action was taken after HIV Scotland sent out an email containing the personal details of dozens of people.

The breach involved an email to 105 people, including patient advocates representing people living in Scotland with HIV.

All the email addresses were visible to recipients, and 65 identified people by name.

The Information Commissioner's Office (ICO) issued the penalty, with the watchdog saying that an assumption could be made about individuals' HIV status or risk from the personal data disclosed.

New interim chief executive Alastair Hudson said the charity took full responsibility and apologised unreservedly to anyone who had been affected by the data breach.

He said a new team and board of trustees had taken "robust steps" to improve information security.

Hudson added: "For a small charity, financially, I cannot deny that this is a heavy blow. However, we will find a way to pay the £10,000 fine to the ICO.

"As an organisation, HIV Scotland would like to re-iterate its commitment to providing a safe and supportive space where our stakeholders and networks can contribute to better health and wellbeing for those impacted by HIV and improving sexual health for all."

The ICO said its investigation of the incident in February found shortcomings in the Glasgow-based charity's email procedures.

These included inadequate staff training, incorrect methods of sending bulk emails and an inadequate data protection policy.

It also found that despite the charity's own recognition of the risks and the procurement of a more secure system for bulk messages, it was continuing to use a less secure method seven months later.

Ken Macdonald, head of ICO regions, said: "All personal data is important but the very nature of HIV Scotland's work should have compelled it to take particular care.

"This avoidable error caused distress to the very people the charity seeks to help."