- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
UK Regulator: HIV Data Protection Must Improve
The UK’s Information Commissioner’s Office (ICO) has called for “serious improvements” to data protection processes for organizations handling information on HIV sufferers, after reprimanding an NHS body.
It said NHS Highland emailed 37 people likely to be accessing HIV services, but mistakenly used the CC rather than BCC function, exposing their details to each other.
According to the ICO, one person confirmed that they recognized four other individuals on the email list, one of whom was a previous sexual partner. Two patients submitted formal complaints to NHS Highland, with one of them making more than one complaint.
NHS Highland escaped a £35,000 fine in line with the regulator’s new lighter-touch approach with public sector bodies, but the ICO slammed the health board for a “serious breach of trust.”
It also used the opportunity to remind any organization handling highly sensitive information of this sort that they must take extra care.
ICO deputy commissioner for regulatory supervision, Stephen Bonner, argued that HIV service providers must set the highest standards in data protection.
“The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organizations dealing with this type of information should take the utmost care with their personal data,” he added.
“Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organizations to raise their data protection standards and put the appropriate measures in place to keep people safe.”
As part of the reprimand, NHS Highland will now have to review data protection and email policies, including the use of group emails, and use the “appropriate technical and organizational measures” when sending group emails containing highly sensitive information. It should also consider running an internal UK GDPR training compliance assessment, the ICO said.