Information Commissioner John Edwards has condemned data protection standards at health services for people living with HIV and called for urgent improvements.
His office said the statement follows several data breaches, as well as concerns raised by some of the largest HIV organisations in the country.
Edwards said: “People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK. We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid.
“Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.
“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO (Information Commissioner’s Office) takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected. We are making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
Common source of breaches
The ICO said that in the year 2022-23, the health sector accounted for over a fifth of all personal data breaches, making it the most common source of reports to the ICO.
It has recently imposed a fine of £7,500 on HIV service provider The Central Young Men’s Christian Association (the Central YMCA) of London for a data breach in which emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable. Central YMCA has now paid the fine in full.
A formal reprimand has also been issued. The fine was initially recommended to be £300,000, but this was subsequently reduced in line with the ICO's public sector approach to reduce how much public money is used to pay fines for organisations’ errors.
It has previously issued fines or reprimands for data breaches affecting people living with HIV to charity HIV Scotland and health board NHS Highland. Both of these data breaches were due to mistakes in using BCC emails for sensitive communications – something the ICO called on organisations to stop last year.
It is calling for better staff training, appropriate technical procedures and prompt reporting from HIV services.
Working with charities
The ICO has also been working with leading HIV and domestic abuse charities to improve the support given to people who may be in vulnerable situations and have had their data breached. More information will be shared on this work in the coming weeks.
It said that healthcare organisations should ensure that staff are thoroughly trained in data protection, appropriate technical measures such as passwords and access controls are in place, and that BCC should not be used when sending bulk communications.
Adam Freedman, policy, research and influencing manager at National AIDS Trust, said: "We are very supportive of today’s statement by the ICO. Strong regulatory action is needed when organisations breach protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data.
“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent risk of further discrimination and harassment. Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.
“We are pleased to see the ICO recognising the detrimental impact such data breaches can have on people living with HIV, and welcome this much needed intervention.”
Protection from stigma
Jacquie Richardson, chief executive of Northern Ireland HIV charity Positive Life said: “HIV stigma is based on vastly outdated and inaccurate information but this doesn’t lessen the impact of being on the receiving end of these prejudices. Along with public health partners, we continue to work to educate around HIV and the U=U message: modern treatment means the virus becomes undetectable and is therefore untransmittable.
“This warning from the information commissioner should remind all of us that someone’s HIV status requires sensitivity and discretion at all times.”
