"Thank you
for raising your concerns regarding the way the Radio Society of
Great Britain handles personal information.
Your
concern relates to the email of 18/19 October 2016 where the sender
failed to use the Blind carbon copy ‘Bcc’ function, when sending
the email, resulting in the disclosure of personal email addresses to
all recipients.
Our aim is
to improve information rights practices. We do this by taking an
overview of all concerns that are raised about an organisation with a
view to improving its compliance with the Data Protection Act 1998
(‘the DPA’).
We
do not investigate every concern we receive. We will put most of our
effort into dealing with matters we think give us the best
opportunity to make a significant difference to an organisation’s
information rights practices.
Depending
on the circumstances, for example, we may give an organisation advice
about handling personal information, provide guidance, or ask it to
review its procedures.
Please see
our website for further information:
Our
decision
From the
information you have provide to us it is likely that the Radio
Society of Great Britain has breached the seventh data protection
principle of the DPA as, whilst it did not disclose any sensitive
information, it disclosed individuals personal email addresses by
failing to use the ‘Bcc’ function when sending those emails.
The
seventh principle states that:
‘Appropriate
technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.’
This is a
breach of the seventh principle of the DPA, because it appears the
Radio Society of Great Britain failed to take appropriate measures to
ensure the security of the personal data.
Next
Steps
As a
result of this breach, we have written to the Radio Society of Great
Britain informing them that they have breached the DPA by failing to
take appropriate measures to ensure the security of the personal
data, and giving them some advice for the future in this area to
ensure a repeat of this incident does not occur.
Although
at this stage we are not taking any further action we will keep the
concerns raised on file. This will help us over time to build up a
picture of the Radio Society of Great Britain’s information rights
practices.
If you are
dissatisfied with the way your case has been handled, you can ask to
have it reviewed. Please note that we do not usually accept a
request for a case review more than three months after the closure of
a case. For more information please see our website.
Yours
sincerely
Karla
Bailey
Case
Officer
Information
Commissioner’s Office"
1 comment:
Interesting article. I have a similar concern where a committee is CC'ing my data to a yahoo.com email address (an email provider with a proven history of data breaches). They also appear to have their own separate privacy policy despite being part of RSGB.
Post a Comment