After a member of staff at the 56 Dean Street HIV clinic that it runs accidentally sent a newsletter to over 700 subscribers of an HIV service, using the 'to' field instead of the bcc field.
This resulted in all the recipients of the email being able to identify the email addresses of the other recipients, which in the majority of cases included the full name of service users. In some of the cases, the recipient did not have HIV.
It was also discovered by the ICO that the HIV clinic had not informed service users when they subscribed to the service that their email addresses would be used to send newsletters to the other service users by bulk mail.
The ICO found that the Trust had failed to take appropriate technical and organisational measures against unauthorised processing of personal data, and that the Trust had failed to provide staff with specific training on ensuring email addresses were entered into the bcc field.
There had been a serious breach which was likely to have caused substantial distress according to Christopher Graham, the Information Commissioner, who said: 'People's use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care, following clear rules, and, put simply, this did not happen. It is clear that this breach caused a great deal of upset to the people affected. The clinic served a small area of London, and we know that people recognised other names on the list and feared their own name would be recognised too.'
The ICO investigation revealed that the Trust had made a similar error in 2010, when a member of staff had sent a questionnaire to 17 patients in relation to HIV treatment and had entered the details in the 'to' field rather than the 'bcc' field. It was decided not enough training had been implemented after that mistake.