Skip to content

ICO enforcement: a sector by sector approach?

Insight

light blue building

The Information Commissioner’s Office (ICO) recently issued a fine and reprimand to the Central Young Men’s Christian Association (Central YMCA) following a data breach involving the sending of a bulk email without using ‘Bcc’ (blind carbon copy). Despite the relative seriousness of the breach, the ICO significantly reduced the fine in line with its enforcement approach which aims to soften the impact of monetary penalties for public sector bodies. This reduced fine for Central YMCA indicates that charities and not-for-profit organisations might also be beneficiaries of the ICO’s more lenient enforcement approach.  

What happened?

The Central YMCA is an education and wellbeing charity which runs a number of community programmes. One of these programmes is the Positive Health Programme, an exercise scheme designed for individuals living with HIV. On 6 October 2022, a coordinator for the Programme sent an email to 270 individuals participating in the Programme using the ‘Cc’ (carbon copy) rather than "Bcc" (blind carbon copy) function, which revealed the email addresses of the recipients to all the other recipients. Of those 270 recipients, 166 individuals could be identified or potentially identified from their email address. Given the nature of the programme and the contents of the email, recipients could identity and infer that the 166 individuals were likely to be living with HIV. This meant that the use of "Cc" when sending the email had inadvertently disclosed ‘special category data’ under Article 9(1) of the UK GDPR.

Following an investigation, the ICO concluded that the Central YMCA failed to ensure appropriate security of personal data using appropriate technical or organisational measures. In reaching that conclusion, the ICO noted that the Central YMCA:

  • Did not have an appropriate information security policy or procedures in place at the time of the incident,
  • Inappropriately relied on the use of ‘Bcc’ (as opposed to other, more secure means) to send group emails,
  • Did not provide data protection training specific to employee roles and levels of access to personal data,
  • Had a lack of awareness of data protection legislation within some parts of the organisation, and
  • Did not effectively monitor completion of data protection training by the charity’s staff.

Given the potential seriousness of the breach, the ICO considered imposing a £300,000 penalty. However, in line with the ICO’s current enforcement approach regarding public sector and, apparently, not-for-profit/charity data controllers (more on this below), this fine was reduced to just £7,500 and the Central YMCA were issued a reprimand.

This fine follows an alarming trend of personal data breaches involving sensitive information being committed by organisations that help individuals living with HIV. The ICO had previously issued a fine of £10,000 to HIV Scotland (another charity) in October 2021 and a reprimand to the NHS Highland health board in March 2023 after each organisation committed remarkably similar data breaches by failing to use the "Bcc" email function. Clearly concerned by this apparent trend, the ICO issued a statement on 30 April 2024 which called for urgent improvements to the data protection standards at health service organisations which help individuals living with HIV.

What does this fine indicate?

In an open letter dated 30 June 2022, John Edwards, the Information Commissioner, had confirmed that the ICO is trailing an enforcement approach which has seen a greater use of the ICO’s discretion to reduce the size of fines issued to public sector bodies. The ICO’s idea behind this trial is that large fines in isolation are not an effective deterrent for data protection breaches within the public sector. This is because public sector fines can impact the victims of the breach rather than the perpetrators, given that fines may result in reduced budgets for essential services that are typically used by the victims of a data breach. In essence, as the ICO saw it, a hefty fine meant that the victims of a personal data breach were being punished twice for an organisation’s data protection failures.

In practice, this has meant that the ICO has increased the use of its wider enforcement powers, including warnings, reprimands and enforcement notices, with (reduced) fines only being issued in the most serious cases. One of the more significant examples of this enforcement approach in action was the issue of reprimand to the Department for Education (DfE) following its prolonged and serious misuse of the personal data of up to 28 million children. Although this was clearly a very significant breach, the DfE was only issued a reprimand in line with the new public sector enforcement approach. This is despite the ICO saying that it would have issued a fine of £10,030,000 under previous regulatory action policy.

The much-reduced fine issued to Central YMCA gives a fairly strong indication that the ICO’s more lenient public sector enforcement approach has been extended to the charities and not-for-profit sector. Although these third sector organisations have not been given any express assurance from the ICO (ie they have not had a public statement similar to the ICO’s open letter to public bodies from June 2022), the general enforcement trend does indicate a change in direction away from issuing fines to charities and not-for-profits. Indeed, it is notable that this modest fine for Central YMCA is the first fine issued by ICO to a charity in 2023 or 2024.

One might further note a broader trend of less aggressive ICO enforcement action across the board. Since John Edwards’ appointment in January 2022, the ICO has issued fewer monetary penalty notices overall but has made wide use of reprimands. This is despite the ICO’s published figures showing a 25 per cent increase of data security incidents reported to the ICO from 2022 to 2023.

However, recent enforcement activity should provide at least a degree of reassurance to charities and not-for-profit organisations because it does seem that these third sector organisations are also benefiting from this significant change in enforcement policy. Although there are no indications at the time of writing that this will change over the course of 2024, it is important to note that the ICO’s open letter of 30 June 2022 said that the ICO would trial the new enforcement approach for two years – and technically that period is up very soon. We await further ICO announcements to see whether the "fine low, reprimand more" enforcement principles are here to stay, and which organisations they might apply to.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, June 2024

Want to know more?

Contact us

About the authors

RGB

Alan Baker

Partner

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Email Alan +44 (0)20 3375 7441
Andrew Rogers lawyer

Andrew Rogers

Associate

Andrew advises clients on a range of commercial, intellectual property (IP) and data protection issues. Andrew specialises in several areas of law, including data protection, commercial contract and wider IP matters. His experience includes advising on matters relating to the management, protection and commercialisation of IP rights, a range of commercial contracts, data protection issues and consumer regulatory law. He works closely with clients across a number of sectors, including private businesses, education institutions and not-for-profits.

Andrew advises clients on a range of commercial, intellectual property (IP) and data protection issues. Andrew specialises in several areas of law, including data protection, commercial contract and wider IP matters. His experience includes advising on matters relating to the management, protection and commercialisation of IP rights, a range of commercial contracts, data protection issues and consumer regulatory law. He works closely with clients across a number of sectors, including private businesses, education institutions and not-for-profits.

Email Andrew +44 (0)20 3375 7324
Back to top