Data protection breach: Sending out bulk emails resulting in a fine of £180,000.*
The public has a general expectation that their personal data will be used lawfully and that additional security measures will be in place for ‘sensitive personal data’.
An employee who worked for Chelsea and Westminster Hospital NHS Foundation Trust was tasked with sending out a newsletter to the users of its sexual health clinic. The employee prepared the newsletter for distribution and put all of the 730 email recipients’ details in the “to” field and sent the email which resulted in 730 full names and personal email address being on view to other recipients. The Information Commissioner’s Office was informed and during their investigation they found that a similar error had been made previously where a member of staff had emailed a questionnaire to 17 patients (putting their details in the “to” field) in relation to their HIV status and treatment.
The ICO found that there had been no specific employee training following the earlier breach, although the Trust had put some remedial measures in place. Despite this the Trust was fined £180,000 as these breaches could have been prevented by adequate rules being put in place and enforced by the employer.
Laura Burnett, Employment Law Team Manager, says:
“Whilst it is fine to send out bulk emails to people in a database or selected groups, the key factor is to ensure their contact details are not on display to other recipients of the email. The only way to avoid breaching data protection rules is to insert the recipients’ details in the “bcc” field, not the “to” or “cc” fields. It is imperative to double check the addresses and the information disclosed before pressing “send”, otherwise the implications can be far reaching.”
If you are concerned about your employees in terms of potential data protection breaches, please contact us.
GET A FREE CONSULTATION