It’s a simple error which most of us will have encountered, and usually it is more of an irritation than anything else. But last week’s data breach at NHS Greater Glasgow impacted on a highly sensitive area of healthcare.
A clinic flyer was sent out to 86 NHS service users by email. However, their email addresses were entered in the “To:” field rather than the “BCC:” (Blind Carbon Copy) field and therefore visible to all recipients. And the service users in question were patients of a transgender clinic. http://www.bbc.co.uk/news/uk-scotland-glasgow-west-29804901
Given the nature of email addresses, in many cases names and year of birth were identifiable in addition to the contact email. And this is a group of service users where simply being identified with that specific clinical service area constitutes highly sensitive sexual and health personal data under the DPA. Coupled with this is the specific prohibition on disclosure under s22 of the Gender Recognition Act 2004 for those individuals who have applied for a gender recognition certificate. The impact on individuals is real and the reputational damage to the NHSGG&C considerable.
The Health Board cites “human error” in this instance, and most will be thinking “There but for the grace…”
But this area of risk can be mitigated. Look at your own organisation and ask:
· Is there a clear policy on how group emails are managed and who is authorised to send them?
· Are relevant staff trained or given guidance on how to appropriately manage group communications?
· Has the organisation assessed the risk to identify particularly sensitive business areas of groups of service-users (such as in this case) where additional controls may be necessary?
· Have alternative tools been explored and, where appropriate, provided to staff and mandated for use? This could be a specific email marketing tool (such as Mailchimp) or simply requiring staff to use a mail-merge function to send out multiple individually-addressed emails with the same content.
· Are appropriate controls in place? At the simplest level, this could be setting system limits on the number of recipients permitted in an email, or more sophisticated tools to conditionally monitor outgoing emails and automatically challenge non-compliant communications.
Author Frank Rankin is a consultant and speaker who recently joined the Act Now team. He’s based in Scotland and has over 20 years experience as an information governance practitioner. A former chair of the NHS Scotland FOI forum and member of the Scottish Records Advisory Council, Frank has designed and delivered pragmatic training in FOI, Privacy and Records Management across a range of sectors.
Post Script. This isn’t the only case where major organisations have managed to pass hundreds or thousands of personal email addresses to hundreds or thousands of strangers. A Police and Crime Commissioner in northern England, A large council in Essex bizarrely informing its suppliers that they were required to pass data about them to the National Fraud initiative and a cheap and cheerful airline telling all its frequent flyers the email addresses of all their frequent flyers. Do you know when you haven’t been BCC’d? Do you remember when you didn’t BCC? Let us know.
Click here to see a full schedule of Frank Rankin’s courses in Scotland.
Image Credit. knowhacking.wordpress.com