News & InfoEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

ICO Fines Charity £10,000 for UK GDPR Breach

According to the ICO, the charity failed to apply appropriate organizational and technical security measures to its internal email systems.
July 9, 2022
Blue graphic with map of UK and title ICO fines charity for GDPR breach

On 22 October 2021 the Information Commissioner’s Office (ICO) fined an HIV charity £10,000 for a breach of the UK GDPR. According to the ICO, the charity failed to apply appropriate organizational and technical security measures to its internal email systems.

This decision - which comes just three months after the ICO fined another charity £25,000 for a sensitive data breach - provides key takeaways for production companies.

What happened?

In February 2020 the charity sent an email to 105 people using the CC function instead of the BCC function. This meant that the email addresses - 65 of which identified the recipients by name - were visible to all recipients.

Because of the nature of the email and the charity, the breach could lead to assumptions about individuals’ HIV status or risk (so while the email addresses themselves didn’t constitute special category data, special category data (relating to the recipients’ health) could be inferred).

The breach was identified immediately and the message was recalled, but it was impossible to determine how successful this was. The charity reported the incident to the ICO on the day it happened.

ICO’s decision

Although the charity had some organizational and technical security measures in place, the ICO decided that these weren’t enough.

In particular, the ICO found that the charity didn’t have a specific policy on the secure handling of personal data (instead, employees relied on the charity’s Privacy Policy, a public document which covered topics such as cookie use and data subject access rights).

The ICO also found that while the charity had procured a system which allowed bulk messages to be sent more securely seven months earlier, it hadn’t started using this and was continuing to use email.

Key takeaways for productions

This decision has a number of key takeaways for production companies: 

  • The ICO is continuing to crack down on organizations which don’t have sufficient safeguards in place to protect people’s data, particularly special category data.
  • It’s important to have an appropriate data protection policy in place which focuses on your team’s handling of personal data. 
  • Individuals who handle personal data (particularly special category data) should be trained on how to do so before they’re given access to the data. 
  • The use of email for sensitive communications can leave you exposed to a data breach. Messaging systems which include functionality for sending messages more securely can help to reduce the risk of information being shared with the wrong people. 
  • It’s important to be aware of the dangers of collecting special category data via email. This includes health data (eg, vaccination data) and diversity data. 

For more information on how to secure your production data, check out our guide to information security.

Topic: UK

Related Content

Blue graphic with map of UK and title ICO penalty following ransomware attack

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK...
Topic: UK

UK GDPR Compliance for Productions: Q&A with Sheridans

Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK...
Topic: UK

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK
Cabinet Office fined for disclosing addresses

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally...
Topic: UK

Contracting in a COVID-19 World  

The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...

Terms to Include in UK Crew Contracts

Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal

Six Elements for Enforceable UK Crew Contracts

Although parties to a crew contract can largely enter into whatever terms they choose, certain elements...
Topic: UK
recycling conversation

Sustainability in Production: Q&A with Nikki Saunders

Nikki Saunders on sustainable filming practices, COVID-19, and why carbon offsetting isn’t a...
International Film Financing panel-featured

Film Financing Explained: International Financing

International production experts discuss how producers can utilize financing systems outside of the US,...
Crew contracting in the UK-panel

Quick and Compliant Crew Contracting in the UK

Neisha Glynternick and Sarmad Saleh from UK-based entertainment law firm Sheridans discuss crew...
Topic: Legal

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2022 Entertainment Partners. All rights reserved.