Urgent improvements in data protection standards are needed to properly protect the privacy of people living with HIV.
This is according to the Information Commissioner, who has condemned data protection standards at health services for people living with HIV following several data breaches, as well as concerns raised by some of the largest HIV organisations across the UK.
His call also follows a £7,500 fine issued to HIV service provider The Central Young Men’s Christian Association (the Central YMCA) of London.
Failed across the board
Information Commissioner John Edwards said: “People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK.
“We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid.
“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.
“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services.
“They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected.
“We are making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
Adam Freedman, policy, research and influencing manager at National AIDS Trust, said: “We are very supportive of today’s statement by the ICO.
“Strong regulatory action is needed when organisations breach protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data.
“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent risk of further discrimination and harassment.
“Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.
“We are pleased to see the ICO recognising the detrimental impact such data breaches can have on people living with HIV, and welcome this much needed intervention.”
Jacquie Richardson, CEO of Northern Ireland HIV charity, Positive Life, said: “This serves as a timely reminder of the importance of patient confidentiality and privacy.
“Here in Northern Ireland, stigma around HIV still carries a huge burden.
“Our service users tell us of the worry of being seen or overheard in any setting in which they need to disclose their status, and the fear of how they will be treated as a result.
“HIV stigma is based on vastly out-dated and inaccurate information but this doesn’t lessen the impact of being on the receiving end of these prejudices.
“Along with public health partners, we continue to work to educate around HIV and the U=U message: modern treatment means the virus becomes undetectable and is therefore not transmittable.
“This warning from the Information Commissioner should remind all of us that someone’s HIV status requires sensitivity and discretion at all times.”
YMCA fined £7,500
In the year 2022/3, the health sector accounted for more than a fifth of all personal data breaches, making it the most common source of reports to the ICO.
Today the ICO has issued a fine to the Central YMCA of London for £7,500 for a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients.
This resulted in 166 people being identifiable or potentially identifiable.
Central YMCA has now paid the fine in full.
A formal reprimand has also been issued. But while the fine was initially recommended to be £300,000, this was subsequently reduced in line with the ICO’s public sector approach.
This approach, which the ICO is currently trialling, is where fines for public sector bodies are reduced where appropriate alongside wider use of other enforcement powers, such as reprimands.
The ICO explained this is designed to reduce how much public money is used to pay fines for organisations’ errors, which often end up impacting those who need these public services.
The ICO has previously issued fines or reprimands for data breaches affecting people living with HIV to charity HIV Scotland and health board NHS Highland. Both of these data breaches were due to mistakes in using BCC emails for sensitive communications – something the ICO called on organisations to stop last year.
The ICO is further calling for better staff training, appropriate technical procedures and prompt reporting from HIV services.
It has also been working with leading HIV and domestic abuse charities to improve the support given to people who may be in vulnerable situations and have had their data breached.
More information will be shared on this work in the coming weeks.
Advice to victims of an HIV-related data breach
For victims of a data breach related to your HIV status or other personal information the ICO advises:
- Complaining directly to the organisation in question
- If people are dissatisfied with their response, or if they do not receive a response, they can file a complaint to the ICO. They may also wish to contact community support services such as National AIDS Trust, Terrence Higgins Trust or Positive Life
- The ICO can consider complaints about the way their information has been handled and whether there has been an infringement of data protection law. It added it will share a decision about what they think should happen next
- It can make recommendations to organisations to put things right or to improve their practices when it thinks it is necessary to do so. Where it has significant concerns about an organisation’s ability to comply with the law, it can take enforcement action
Advice for HIV services
Turning to HIV services providers, the ICO said a person’s HIV status is highly sensitive information that must be handled with care.
It added when accessing healthcare and other vital services, people need to trust that their medical information is safe and only available to authorised employees.
Consequently, healthcare organisations should ensure:
- Staff are thoroughly trained: Organisations should have data protection training in place that is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal information safely and securely. It must be clear to staff about what records they are allowed to access
- Appropriate technical measures are in place: Appropriate measures, such as passwords and access controls, should be in place to ensure personal information can only be seen by people who need to use it
- Do not use BCC when sending bulk communications: Failure to use BCC correctly in emails is one of the top data breaches reported to the ICO every year – and these breaches can cause real harm, especially where sensitive personal information is involved. It added that while BCC can be a useful function, it is not enough on its own to properly protect people’s personal information. If organisations are sending any sensitive personal information electronically, or are contacting individuals regarding health-related matters, they are advised to use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services
- They should also ensure staff are clear on the data breach reporting process: An organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information.
- The ICO added his must be reported within 72 hours of becoming aware of the breach. It concluded personal information breaches are treated seriously, and with the recognition that individuals affected been denied dignity and privacy that everyone should expect when accessing healthcare services
