Soho HIV Clinic

F thought that he was  perhaps unduly protective of his personal information, particularly his HIV+ status and related information.

However, this was dispelled on 1st September 2015,  by the media and public  frenzy created by ‘accidental’ disclosure by  Soho HIV Clinic of its patients’ email addresses to other patients.

The event culminated in ICO’s Monetary Penalty Notice of £ 180,000, which is of interest.  He  did not need any evidence that the disclosure had actually caused any concern or distress to the individuals.  Individuals’  mere association with the Clinic was enough for him to issue such a sever Penalty.   At the time of the Notice, only 15 individuals  complained to the Clinic and 9 to the ICO, hardly a flood of concern.  

It should be noted that NO actual personal information, let alone any HIV related information,  was disclosed on these emails, which was merely a distribution of a  Newsletter.  It was merely due to the relationship existed between the   individuals and the Clinic, for the ICO to state that this  was ‘likely’ to cause concern and unwarranted distress.

It should also be noted that an email address is in NO way a definite confirmation of individual’s identity

Individual’s email address, before the “@” sign should be  64 characters long.  It can be a combination of any characters and numbers, arranged in one or two sequences, separated by a “‘.”  in a more recent address.

The identifier must be an unique string of characters and numbers,  in whatever  order.  It  merely identifies the email INBOX, but NOT the actual owner of it, the account holder.   

As a matter of interest, F  in order to maintain anonymity  in  his search for answers to a very sensitive matter, such as HIV, registered an email address, of an imaginary being, which he used to obtain answers, without disclosing his actual identity.  He could use this, as the identifier was UNIQUE;  it was NOT already in use by somebody else.

On receipt of a “standard” Windows based email message, the recipient would have seen the sender’s email address.   The   “To” field would show his email  address.  Should there be more than one recipient, this line may show 2/3 more addresses. In Soho Clinic’s case, it  may have ended with something like “and 780 more...”   The recipient must click on this number to see ALL of the other recipients of the same message.  It is questionable as to how many of the recipients would actually wish to see this information, which is NOT shown.   Taking into consideration the number of complaints, it would appear that the recipients would not have been that “rattled” to see familiar email addresses, which may or may NOT be of the person they may know.

Had these emails been sent by say, Tesco, nobody would have noticed.  It was only when a whiff of HIV  appeared, such a frenzy resulted.

It is a known fact that the Data Protection Act ONLY provides remedy in respect of the perpetrator  of the offence.  The ICO may issue a warning or a Monetary Penalty Notice, up to  £ 500,000.-

The Act DOES NOT provide for a remedy for the VICTIM of the offence.  The ICO has not got the legal powers and therefore  NO interest whatsoever in this respect.  He is not even  empowered  to compel the perpetrator to apologise, let alone pay any compensation.

In this respect, the VICTIM must avail himself  of the provisions of paragraph 13 of the Data Protection Act and take the matter to a COURT.  

It has been confirmed to us that a number of individuals are now claiming compensation from the Clinic, which is assumed to be considerable, FOR ‘ACCIDENTALLY’ MERELY DISCLOSING  their EMAIL ADDRESSES, which in NO WAY positively identify the subscriber to the Newsletter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.