Persistent data breaches denying HIV patients 'basic dignity', Information Commissioner says

UK Information Commissioner (ICO) John Edwards has called for “urgent improvement” as persistent data breaches are denying HIV patients “basic dignity and privacy”.  

The announcement comes after recent findings by the ICO revealed that the health sector accounts for more than a fifth of personal data breaches. 

Edwards said the lack of action is leaving those with HIV subject “to sigma and prejudice” from wider society, subsequently shattering their confidence in health services. 

He added: “People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK. We have seen repeated basic failures to keep their personal information safe - mistakes that are clear and easy to avoid.”

In recent years, the ICO has issued reprimands to NHS Highland and HIV Scotland for “serious data breaches” which exposed individuals living with the health condition. 

Both organisations used carbon copy (CC) instead of blind carbon copy (BCC) when sending emails to those suffering from the condition, meaning the recipients could see each other’s email addresses. In NHS Highland, one recipient confirmed they had recognised four other individuals, one of whom was a previous sexual partner.

“Over the past few decades, there have been remarkable advances in treatment and support for those living with HIV, but for people to be able to confidently use that support, they must be able to trust that when they share their personal information, it is being protected,” Edwards added.

The ICO is also calling for better staff training, appropriate technical procedures and prompt reporting from HIV services, to tackle the issue. 

Adam Freedman, policy, research and influencing manager at the National AIDS Trust, said: “Strong regulatory action is needed when organisations breach the protection of HIV status data, which unfortunately continues to carry with it more harmful stigma than other types of personal data.

“People living with HIV need the confidence to know that they have recourse when their data rights are breached, and to prevent the risk of further discrimination and harassment.”

Meanwhile, the ICO has been working with HIV and domestic abuse charities to improve the support given to people who have had their data breached. An update on this work is to be published soon.