ICO slaps HIV support group with £250 fine following email blunder An HIV support group responsible for inadvertently revealing patient identities via an email blunder has been slapped with a £250 fine by the Information Commissioner's Office. The Bloomsbury Patient Network sent out a newsletter to 200 patients via email using a list of addresses in the "to" field rather than the "bcc" field …
The ICO only uses the stick on outfits which are highly unlikely to lawyer up and challenge them.
The last time they misjudged that, the fines got poleaxed by a district court judge. They should have appealed it but didn't.
The chances of Talk Talk being issued with maximum fines (or any fines) are inversely related to their legal budget.
I think the idea, like with HSE, fire brigade, etc is that you go to them for advice etc before shit hits fan rather than advice after you've cocked up.
It's the directors' (trustees) responsibility to be aware of all legislation that affects the business (charity) whether that be a safe place of work, insurance or not spreading sensitive information.
There is something to be said for making an example of even smallest organizations to encourage others to do what is right and head off worst cases.
"We need to send a clear message: no matter how small your organisation, you must make sure staff and volunteers are trained to protect personal data,”
By the way El Reg how did your ICO investigation go?
I know Exchange can limit the number of recipients, so I expect other mail servers can impose a limit. But I doubt Exchange discriminates between To, CC and BCC - it's only interested in limiting absolute numbers of addressees.
Outlook as a standalone doesn't appear to limit the number of addresses. Perhaps it could be programmatically "I notice your To: list for this email is a distribution group or exceeds 20 names - are you sure you want to do it this way and not use BCC?" Options are 'No', and 'Dear [deity] no, what was I thinking!'
Most email users (especially the nearly 50% below average intelligence) probably haven't even heard of BCC let alone know what the acronym stands for.
Charities especially should make it a priority to brief all volunteers on committees about the risks of exposing email addresses.
I know of at least one which doesn't.
Not really surprising if the majority of staff members are recruited for their public facing "touchy feely" skills and IT is a sort of bolt on afterthought with a lot of functions outsourced to 3rd parties. Quite possibly there may be nobody truly IT literate within the organisation.
Data Protection is used as a mantra for not doing stuff which might cost money but there is probably no true awareness throughout the company {allegedly}.
A few more incidents and fines and this might filter through - if this is reported widely enough in the popular press and not just in the "techical" press.
Data Protection requirements and how it affects your job ought to be one of the the things explained to you on your first day.
Somewhere after "this is where the fire exit is" and "this is your desk" but before "I'll take you to meet Bob in finance, he'll explain the project to you".
Let the 4% good times roll ... they are all guilty of negligence in maintaining their database, and are not being held to account. They should not be able to sell their database which we clean for them, at our intense discomfort when they cock up. A 100% fail for us when they get it wrong, is a 0.000001% fail for them.
How about this idea:
"You trustees are each sentenced to a fine of £100,000, suspended for 10 years.
"During those ten years you will be supervised by a probation officer who will make unannounced visits to your premises. If they find that you are storing your patient data in a system from which it may be copied-and-pasted or otherwise exported in bulk, or if they find that your email system is configured to allow messages to be sent to large numbers of recipients without multiple levels of confirmation and a time-delay, you will be liable to pay the fine in full."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
