Wednesday, 30 November 2016

RSGB Data Breach - ICO Response

The following has just been received from the ICO, in response to this incident:

"Thank you for raising your concerns regarding the way the Radio Society of Great Britain handles personal information.

Your concern relates to the email of 18/19 October 2016 where the sender failed to use the Blind carbon copy ‘Bcc’ function, when sending the email, resulting in the disclosure of personal email addresses to all recipients.

Our aim is to improve information rights practices. We do this by taking an overview of all concerns that are raised about an organisation with a view to improving its compliance with the Data Protection Act 1998 (‘the DPA’).

We do not investigate every concern we receive. We will put most of our effort into dealing with matters we think give us the best opportunity to make a significant difference to an organisation’s information rights practices.

Depending on the circumstances, for example, we may give an organisation advice about handling personal information, provide guidance, or ask it to review its procedures.

Please see our website for further information:

Our decision

From the information you have provide to us it is likely that the Radio Society of Great Britain has breached the seventh data protection principle of the DPA as, whilst it did not disclose any sensitive information, it disclosed individuals personal email addresses by failing to use the ‘Bcc’ function when sending those emails.

The seventh principle states that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

This is a breach of the seventh principle of the DPA, because it appears the Radio Society of Great Britain failed to take appropriate measures to ensure the security of the personal data.

Next Steps

As a result of this breach, we have written to the Radio Society of Great Britain informing them that they have breached the DPA by failing to take appropriate measures to ensure the security of the personal data, and giving them some advice for the future in this area to ensure a repeat of this incident does not occur.

Although at this stage we are not taking any further action we will keep the concerns raised on file. This will help us over time to build up a picture of the Radio Society of Great Britain’s information rights practices.

If you are dissatisfied with the way your case has been handled, you can ask to have it reviewed. Please note that we do not usually accept a request for a case review more than three months after the closure of a case. For more information please see our website.

Yours sincerely

Karla Bailey
Case Officer
Information Commissioner’s Office"

1 comment:

  1. Interesting article. I have a similar concern where a committee is CC'ing my data to a email address (an email provider with a proven history of data breaches). They also appear to have their own separate privacy policy despite being part of RSGB.