INFORMATION Commissioner John Edwards has condemned information safety requirements at well being companies for individuals residing with HIV and known as for pressing enhancements. The assertion follows a number of information breaches, in addition to considerations raised by a number of the largest HIV organisations within the nation.
Information Commissioner John Edwards stated:
“People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK. We have seen repeated basic failures to keep their personal information safe – mistakes that are clear and easy to avoid.
“Over the past few decades, there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected.
“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.
“The ICO takes each one of these data breaches very seriously and recognises the detrimental impact they can have on the lives of those affected. We are making sure that the improvements we all want to see, such as better training, prompt reporting of personal information breaches and ending the use of BCC for sensitive communications, are being implemented as swiftly as possible.”
Adam Freedman, Policy, Research & Influencing Manager at National AIDS Trust, stated:
“We are very supportive of today’s statement by the ICO. Strong regulatory action is needed when organisations breach the protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data.
“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent the risk of further discrimination and harassment. Someone’s HIV status is personal data and it should be a person’s choice to decide whether or not they share that information.
“We are pleased to see the ICO recognising the detrimental impact such data breaches can have on people living with HIV, and welcome this much-needed intervention.”
Jacquie Richardson, Chief Executive of Northern Ireland HIV charity, Positive Life, stated:
“This serves as a timely reminder of the importance of patient confidentiality and privacy. Here in Northern Ireland, the stigma around HIV still carries a huge burden. Our service users tell us of the worry of being seen or overheard in any setting in which they need to disclose their status and the fear of how they will be treated as a result.
“HIV stigma is based on vastly outdated and inaccurate information but this doesn’t lessen the impact of being on the receiving end of these prejudices. Along with public health partners, we continue to work to educate about HIV and the U=U message: modern treatment means the virus becomes undetectable and is therefore untransmittable.
“This warning from the Information Commissioner should remind all of us that someone’s HIV status requires sensitivity and discretion at all times.”
In the yr 2022/3, the well being sector accounted for over a fifth of all private information breaches, making it the commonest supply of stories to the ICO.
The assertion immediately follows one other wonderful issued by the Information Commissioner’s Office (ICO) to a HIV service supplier.
The ICO has issued a wonderful to The Central Young Men’s Christian Association (the Central YMCA) of London for £7,500 for an information breach the place emails supposed for these on a HIV assist programme have been despatched to 264 e-mail addresses utilizing CC as an alternative of BCC, revealing the e-mail addresses to all recipients. This resulted in 166 individuals being identifiable or doubtlessly identifiable. Central YMCA has now paid the wonderful in full.
A proper reprimand has additionally been issued. The wonderful was initially beneficial to be £300,000, however this was subsequently diminished consistent with the ICO’s public sector strategy. This strategy, which the ICO is at the moment trialling, is the place fines for public sector our bodies are diminished the place acceptable alongside wider use of different enforcement powers, equivalent to reprimands. This is designed to cut back how a lot public money is used to pay fines for organisations’ errors, which regularly find yourself impacting those that want these public companies.
The ICO has beforehand issued fines or reprimands for information breaches affecting individuals residing with HIV to the charity HIV Scotland and the well being board NHS Highland. Both of those information breaches have been attributable to errors in utilizing BCC emails for delicate communications – one thing the ICO known as on organisations to cease final yr.
The ICO is additional calling for higher workers coaching, acceptable technical procedures and immediate reporting from HIV companies.
The ICO has additionally been working with main HIV and home abuse charities to enhance the assist given to individuals who could also be in vulnerable conditions and have had their information breached. More data will likely be shared on this work within the coming weeks.
Advice to individuals residing with HIV who could have been the sufferer of an information breach
If you may have been the sufferer of an information breach associated to your HIV standing or different private data:
- First, complain on to the organisation in query.
- If you might be dissatisfied with their response, or if you don’t obtain a response, you’ll be able to file a criticism to the ICO. Our complaints device may be discovered right here. You can also want to contact neighborhood assist companies equivalent to National AIDS Trust, Terrence Higgins Trust or Positive Life.
The ICO can think about complaints about the best way your data has been dealt with and whether or not there was an infringement of information safety legislation. They will share a choice about what they suppose ought to occur subsequent.
The ICO could make suggestions to organisations to place issues proper or to enhance their practices after they suppose it’s crucial to take action. Where they’ve important considerations about an organisation’s potential to adjust to the legislation, they will take enforcement motion.
Advice for HIV companies
A person’s HIV standing is very delicate data that have to be dealt with with care. When accessing healthcare and different important companies, individuals must belief that their medical data is secure and solely available to authorised staff.
Healthcare organisations ought to guarantee:
- Staff are completely educated: Organisations ought to have information safety coaching in place that’s role-specific, tailor-made and related to the duties being accomplished. Staff ought to really feel assured in dealing with individuals’s private data safely and securely. It have to be clear to workers about what data they’re allowed to access.
- Appropriate technical measures are in place: Appropriate measures, equivalent to passwords and access controls, must be in place to make sure private data can solely be seen by individuals who want to make use of it.
- Do not use BCC when sending bulk communications: Failure to make use of BCC accurately in emails is likely one of the high information breaches reported to us yearly – and these breaches could cause actual hurt, particularly the place delicate private data is concerned. While BCC is usually a helpful perform, it’s not sufficient by itself to correctly shield individuals’s private data. If organisations are sending any delicate private data electronically, or are contacting people concerning health-related issues, they need to use alternate options to BCC, equivalent to bulk e-mail companies, mail merge, or safe information switch companies. Guidance on utilization of BCC may be discovered right here.
- Staff are clear on the info breach reporting course of: An organisation should report misuse of non-public information to the ICO if there’s a danger to individuals’s rights and freedoms, which is usually the case with delicate medical data. This have to be reported inside 72 hours of changing into conscious of the breach. More data on breach reporting is right here. Personal data breaches are handled critically, and with the popularity that people affected have been denied the dignity and privateness that all of us count on when accessing healthcare companies.
