F thought that he was perhaps unduly protective of his personal information, particularly his HIV+ status and related information.
However, this was dispelled on 1st September 2015, by the media and public frenzy created by ‘accidental’ disclosure by Soho HIV Clinic of its patients’ email addresses to other patients.
The event culminated in ICO’s Monetary Penalty Notice of £ 180,000, which is of interest. He did not need any evidence that the disclosure had actually caused any concern or distress to the individuals. Individuals’ mere association with the Clinic was enough for him to issue such a sever Penalty. At the time of the Notice, only 15 individuals complained to the Clinic and 9 to the ICO, hardly a flood of concern.
It should be noted that NO actual personal information, let alone any HIV related information, was disclosed on these emails, which was merely a distribution of a Newsletter. It was merely due to the relationship existed between the individuals and the Clinic, for the ICO to state that this was ‘likely’ to cause concern and unwarranted distress.
It should also be noted that an email address is in NO way a definite confirmation of individual’s identity.
Individual’s email address, before the “@” sign should be 64 characters long. It can be a combination of any characters and numbers, arranged in one or two sequences, separated by a “‘.” in a more recent address.
The identifier must be an unique string of characters and numbers, in whatever order. It merely identifies the email INBOX, but NOT the actual owner of it, the account holder.
As a matter of interest, F in order to maintain anonymity in his search for answers to a very sensitive matter, such as HIV, registered an email address, of an imaginary being, which he used to obtain answers, without disclosing his actual identity. He could use this, as the identifier was UNIQUE; it was NOT already in use by somebody else.
On receipt of a “standard” Windows based email message, the recipient would have seen the sender’s email address. The “To” field would show his email address. Should there be more than one recipient, this line may show 2/3 more addresses. In Soho Clinic’s case, it may have ended with something like “and 780 more...” The recipient must click on this number to see ALL of the other recipients of the same message. It is questionable as to how many of the recipients would actually wish to see this information, which is NOT shown. Taking into consideration the number of complaints, it would appear that the recipients would not have been that “rattled” to see familiar email addresses, which may or may NOT be of the person they may know.
Had these emails been sent by say, Tesco, nobody would have noticed. It was only when a whiff of HIV appeared, such a frenzy resulted.
It is a known fact that the Data Protection Act ONLY provides remedy in respect of the perpetrator of the offence. The ICO may issue a warning or a Monetary Penalty Notice, up to £ 500,000.-
The Act DOES NOT provide for a remedy for the VICTIM of the offence. The ICO has not got the legal powers and therefore NO interest whatsoever in this respect. He is not even empowered to compel the perpetrator to apologise, let alone pay any compensation.
In this respect, the VICTIM must avail himself of the provisions of paragraph 13 of the Data Protection Act and take the matter to a COURT.
It has been confirmed to us that a number of individuals are now claiming compensation from the Clinic, which is assumed to be considerable, FOR ‘ACCIDENTALLY’ MERELY DISCLOSING their EMAIL ADDRESSES, which in NO WAY positively identify the subscriber to the Newsletter.