Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
UK: ICO fines Central YMCA £7,500 for data security failures
On April 30, 2024, the Information Commissioner's Office (ICO) announced that it had issued a reprimand and a fine of £7,500 against the Central Young Men's Christian Association (the Central YMCA) for violation of the UK General Data Protection Regulation (UK GDPR) following a data breach.
Background to the decision
The ICO stated that there was a data breach at Central YMCA where emails intended for those on an HIV support program were sent to 264 email addresses using 'CC' instead of 'BCC,' revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable.
Findings of the ICO
Following an investigation, the ICO found, among other things, that the Central YMCA did not have sufficient written information security policies and procedures and did not provide role-specific data protection training.
Subsequently, the ICO determined that Central YMCA violated Articles 5(1)(f), 32(1), and 32(2) of the UK GDPR by failing to:
- ensure appropriate security of personal data; and
- implement technical and organizational security measures appropriate to the risk of the processing.
Outcomes
In light of the above, the ICO imposed a fine of £7,500 on Central YMCA.
You can read the press release here, the reprimand here, and the fine here.