Charities and healthcare organizations that work with HIV positive individuals are consistently failing to prioritize their data protection and privacy needs, leading to frequent data breaches that expose people’s HIV status. This lack of protection denies those living with the condition their right to basic dignity and privacy, according to the Information Commissioner’s Office (ICO).
Advancements in drug technology have made managing HIV a long-term condition that is often not transmissible, and the introduction of pre-exposure prophylaxis (PrEP) has significantly reduced infection rates, particularly among gay men. However, the stigma and prejudice against people with HIV that were prevalent in the 1980s and 1990s still persist today. Consequently, many individuals living with the condition feel unable to openly disclose their HIV status.
The ICO has emphasized the urgent need to improve support for people with HIV in relation to the handling of their sensitive information. Information Commissioner John Edwards has called for swift improvements and offered the ICO’s assistance in addressing the issue. Edwards stated that failures to protect personal information are evident and can be easily avoided.
Data breaches not only undermine individuals’ trust in support services but also subject them to stigma and prejudice. The ICO takes such breaches seriously and recognizes the negative impact they can have on affected individuals’ lives. Edwards called on the sector to implement cybersecurity improvements such as enhanced training, prompt reporting of accidental breaches, and a focus on using the blind copy (BCC) function when emailing large groups of people.
The ICO has previously imposed fines on two organizations in Scotland, NHS Highland and HIV Scotland, for incidents related to the misuse of mailing lists. On April 30th, the ICO fined the Central Young Men’s Christian Association (YMCA) of London £7,500 for a breach in which emails revealing individuals’ HIV status were sent to 264 email addresses using the CC function instead of BCC. This breach potentially exposed the identifiable information of 166 people with HIV. The ICO highlighted that the fine was relatively lenient, as it could have been as high as £300,000, but was reduced in line with its public sector approach.
The National AIDS Trust welcomed the ICO’s statement and emphasized the need for strong regulatory action when organizations breach the protection of HIV status data. They called for individuals living with HIV to have confidence in their ability to seek redress when their data rights are violated, in order to prevent further discrimination and harassment. The ICO’s intervention in recognizing the detrimental impact of data breaches on individuals with HIV was also welcomed by the National AIDS Trust.
In addition, the ICO has provided guidance for victims of data breaches involving personal data, including their HIV status. It advises individuals to first file a complaint with the organization responsible and then, if necessary, to file a complaint with the ICO. Support services such as the National AIDS Trust and the Terrence Higgins Trust can also be contacted. The ICO will consider all complaints regarding the handling of personal data and will inform complainants of its decision on next steps. The regulator can make recommendations to improve security practices or take formal enforcement action, potentially resulting in fines, if it has serious concerns about an organization’s ability to comply with data protection laws.
Organizations working with people with HIV must be mindful that an individual’s HIV status is highly sensitive information that requires careful handling. Staff should receive comprehensive training that is tailored to their roles and provides relevant guidance on handling personal data safely and securely. Organizations should also be aware of the data breach reporting requirements under UK law, which stipulate that breaches threatening individuals’ rights or freedoms, such as medical information breaches, must be reported within 72 hours of becoming aware of them.
Clear guidelines should be established regarding the records that staff members are authorized to access. The implementation of appropriate technical measures, such as enhanced password security and access controls, can help ensure that personal information can only be accessed by individuals with a legitimate and clear need. Lastly, organizations should stop using the BCC function for bulk communications and explore alternative methods, such as bulk email services, mail merge, or secure data transfer services, to protect personal data.