weerapat1003 - stock.adobe.com

Persistent data breaches deny people with HIV dignity and privacy

The ICO has urged charities and healthcare organisations that work with people living with HIV to do better when it comes to protecting their personal data, after the HIV status of more than 100 people was accidentally disclosed by London’s Central YMCA

Charities and healthcare organisations working with HIV positive people are persistently failing to take account of their basic data protection and privacy needs, with frequent data breaches that expose people’s HIV status denying those living with the condition “basic dignity and privacy”, the Information Commissioner’s Office (ICO) has warned.

Advances in drug technology have rendered HIV a manageable long-term condition that in many cases cannot be passed on, and the introduction of pre-exposure prophylaxis (PrEP) has seen infection rates plummet, especially among gay men.

However, the homophobic frenzy against people whipped up in the 1980s and 1990s still lingers, and over 20 years later, many living with the condition still feel they cannot be open about their HIV status.

As such, the ICO said there is a clear need to improve the support offered to people with HIV when it comes to the handling of their sensitive information, and information commissioner John Edwards has now called for urgent improvements, saying the ICO stands ready to assist.

“People living with HIV are being failed across the board when it comes to their privacy, and urgent improvements are needed across the UK. We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid.

People living with HIV are being failed across the board when it comes to their privacy, and urgent improvements are needed across the UK
John Edwards, information commissioner

“Over the past few decades, there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected,” said Edwards.

“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health,” he added.

Edwards said the ICO takes such breaches very seriously and recognises the detrimental impact they can have on the lives of those affected. He called for the sector to swiftly implement cyber security improvements, such as better training, prompt reporting of accidental breaches, and a particular focus of the use of the blind copy (BCC) function when sending emails to large lists of people.

The ICO has previously fined two organisations in Scotland – NHS Highland and HIV Scotland – over incidents arising from the misuse of mailing lists. It has also today (30 April) issued a £7,500 fine to the Central Young Men’s Christian Association (YMCA) of London for a breach where emails to people on an HIV support programme were sent to 264 email addresses using the CC instead of the BCC function.

A total of 166 people with HIV were identifiable, or potentially identifiable, from this breach. Central YMCA has paid the fine in full, although the ICO pointed out that it got off lightly – the penalty could have run as high as £300,000, although this was reduced in line with the regulator’s controversial public sector approach.

“We are very supportive of today’s statement by the ICO. Strong regulatory action is needed when organisations breach protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data,” said Adam Freedman, policy, research and influencing manager at the National AIDS Trust.

“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent risk of further discrimination and harassment. Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.

“We are pleased to see the ICO recognising the detrimental impact such data breaches can have on people living with HIV, and welcome this much-needed intervention,” said Freedman.

Guidance for victims and support organisations

The ICO has also issued advice and guidance for people living with HIV who have been the victim of a data breach disclosing their status, or any other personal data.

In these cases, your first action should always be to complain directly to the organisation in question. If they do not respond or you are dissatisfied with what they have to say, you can then file a complaint with the ICO. You may also wish to contact support services such as the National AIDS Trust or the Terrence Higgins Trust.

The ICO will consider all complaints about how personal data is handled and whether or not it constitutes an infringement of the UK’s data protection laws, and will share its decision on next steps with complainants.

Ultimately, the regulator is empowered to make recommendations to put things right or to improve their security practices, but where it has significant concerns about an organisation’s ability to comply with data protection law, it can take formal enforcement action leading to the possibility of fines.

Organisations working with people with HIV must be aware that someone’s HIV status is still highly sensitive information that must be handled carefully – people need to be able to trust their medical information is safe and only accessible by authorised people when seeking care or support.

Such organisations need to ensure their staff are thoroughly trained with role-specific, tailored and relevant help to handle personal data safely and securely. They should also be made clear on the data breach reporting services – under UK law, breaches where there is a risk to people’s rights or freedoms, as is often the case with medical information, must be reported within 72 hours of becoming aware of them.

It should be made crystal clear what records staffers are allowed to access, and to this end, organisations can also help themselves by putting in place appropriate technical measures, such as enhanced password security and access controls, to make sure personal information can only be seen by those with a clear and genuine need.

Finally, as noted already, stop using BCC when sending bulk communications. Although the BCC function stops the recipients of an email seeing each other’s data, the function is easily misused, either accidentally or on purpose, and is not enough on its own to properly protect data.

Organisations sending any personal data electronically should use alternatives to BCC, such as bulk email services, mail merge, or a secure data transfer service.

Read more about email security

Read more on Data breach incident management and recovery

Data Center
Data Management