This site is intended for health professionals only

ICO calls for urgent action after repeated HIV-related data breaches

ICO calls for urgent action after repeated HIV-related data breaches

The Information Commissioner’s Office has called for ‘urgent improvements’ in the handling of confidential information of people living with HIV after repeated data breaches.

ICO commissioner John Edwards condemned data protection standards at health services after charities also raised concerns about accidental disclosures of individuals’ HIV status.

It follows another fine issued by the ICO to a HIV provider after bulk emails were sent to service users using CC rather than BCC.

The Central Young Men’s Christian Association (the Central YMCA) of London was fined £7,500 alongside a formal reprimand after sending a message to those on an HIV support programme revealing the email addresses to all recipients, which led to 166 people being identifiable or potentially identifiable, the ICO said.

HIV Scotland and NHS Highland had also been subject to fines for similar data breaches where a mistake had been used with the BCC email function.

The ICO had already called on organisations to stop using BCC when sending sensitive communications by email.

It also wants to see better staff training and prompt reporting of any data breaches from HIV services as well as ensuring that appropriate technical measures are in place to ensure that personal information can only be seen by those who need to use it.

In 2022/23, the health sector was the most common source of reports to the ICO accounting for over a fifth of all personal data breaches

Mr Edwards said: ‘People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK.

‘We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid.

He added: ‘Over the past few decades there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.

‘We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.’

Adam Freedman, policy, research and influencing manager at National AIDS Trust, said they welcomed the statement from the ICO. ‘Strong regulatory action is needed when organisations breach protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data. 

‘People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent risk of further discrimination and harassment.

‘Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.’


Visit Pulse Reference for details on 140 symptoms, including easily searchable symptoms and categories, offering you a free platform to check symptoms and receive potential diagnoses during consultations.