‘We’ve got to give people a wake-up call’: Information commissioner slams serious HIV data breaches
The UK’s information commissioner has condemned data protection standards for people living with HIV and called for urgent improvements, saying the number of breaches has resulted in a “profound loss of trust”.
John Edwards, who was appointed in December 2021, issued a statement regarding several data breaches as well as concerns raised by some of the UK’s largest HIV organisations.
In 2022/23, the most common source of data breach reports made to the Information Commissioner’s Office (ICO) was in the health sector, which made up more than a fifth of the total.
The statement comes after the ICO issued a fine of £7,500 to the Central YMCA of London after emails intended for those on an HIV support programme were sent to 264 addresses, using CC instead of BCC, thus revealing the information to all recipients. This resulted in 166 people being identifiable or potentially identifiable.
Previously, the ICO has issued fines or reprimands for data breaches affecting people living with HIV to charity HIV Scotland and health board NHS Highland. Both incidences were due to mistakes in using BCC – an email tool which the ICO called on organisations to stop using last year.
Speaking to PinkNews, Edwards said he has been “really worried about this trend of loss of control”.
When addressing why the statement has been released now, he added: “Sometimes these things happen. One thing will happen and you’ll go, ‘OK, there’s an incident’, then another one, then another. At what point do you say, ‘I’m seeing a trend here? I’ve got to call this out?’
“Since 2019, we have seen about 18 breaches involving HIV information and seven of those have been in the [past] financial year, so we thought we’ve got to give people a bit of a wake-up call.”
Edwards said people living with HIV are being “failed across the board when it comes to their privacy” and “urgent improvements are needed across the UK”, adding: “We have seen repeated basic failures to keep personal information safe – mistakes that are clear and easy to avoid.
“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.
“We know from speaking to those living with HIV, and experts in the sector, that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected. We are making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
The impact of data breaches on those living with HIV are intense, with people left feeling deeply upset and experiencing a “really profound loss of trust and anxiety”, Edwards went on to say.
“We see people who might not even want to go outside because they’re worried, they feel exposed and vulnerable.
“There are potentially even direct consequences for some people. There are people who travel and work in countries where it’s an offence to be gay or to carry this virus.
“Living knowing that your really sensitive information is not secure can be anxiety-provoking in its own right.”
Alongside calling on organisations to stop using BCC when distributing sensitive information, the ICO also wants to see better staff training, appropriate technical procedures and prompt reporting from HIV services.
Adam Freedman, the policy, research & influencing manager at National Aids Trust, said: “We are very supportive of today’s statement by the ICO. Strong regulatory action is needed when organisations breach protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data.
“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent risk of further discrimination and harassment. Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.
“We are pleased to see the ICO recognising the detrimental impact such data breaches can have on people living with HIV, and welcome this much-needed intervention.”
Here is advice from the ICO if you have been the victim of a data breach related to your HIV status or other personal information.
- First, complain directly to the organisation in question.
- If you are dissatisfied with their response, or if you do not receive a response, you can file a complaint with the ICO. Complaints tool can be found here. You may also wish to contact community support services such as National Aids Trust, Terrence Higgins Trust or Positive Life.
The ICO can consider complaints about the way your information has been handled and whether there has been an infringement of data protection law. We will share a decision about what we think should happen next.
We can make recommendations to organisations to put things right or to improve their practices when we think it is necessary to do so. Where we have significant concerns about an organisation’s ability to comply with the law, we can take enforcement action.
How did this story make you feel?