HIV Scotland – €11,700 Fine (United Kingdom, 2021)

HIV Scotland is a charity that helps people living with HIV, those at risk of HIV and individuals that support people with HIV. HIV Scotland got a MailChimp account for the purpose of online mailing and migrated contact details to the bulk mailing platform. A list of contact details of the Community Advisory Network (CAN) was not migrated. On 3 Feburary 2020, an email was sent using Microsoft Outlook to 105 members of CAN in CC rather than BCC. This meant that email addresses of 65 recipients were apparent, identifying the individual by name. HIV Scotland noticed the error instantly and submitted a breach report, highlighting that individuals' HIV statuses could be deduced from this breach. HIV Scotland contacted the individuals to apologise and offered support if distress was caused. HIV Scotland has since implemented MailChimp for all its mailing operations to reduce the risk of a repeat incident. The Information Commissioner's Office (ICO) conclude that HIV Scotland failed to set up appropriate organisational and technical measures. The following steps taken by HIV Scotland prior to the breach were insufficient according to the ICO: * Employees asked to read and refer to HIV Scotland's privacy policy * Training on GDPR awareness in the first three months of employment * Awareness of the BCC requirement for group emails * Attempt to migrate contact details to MailChimp for better security. The ICO found following deficiencies in the technical and organisational measures at HIV Scotland. * HIV Scotland did not have a specific internal Policy for handling personal data securely. Reliance on the external Privacy Policy was not an appropriate data protection policy for staff handling personal data. * The staff did not have guidance on how to handle personal data securely. According to the ICO, employees should have had GDPR training prior to handling personal data and within one month of their start data. This is especially required when staff handle special cat