An error when sending a bulk email cost the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 as it was fined by the data protection regulator the Information Commissioner’s Office (ICO) for sending email that identified possible victims of non-recent child sexual abuse.
The Inquiry was set up in 2014 to investigate how institutions failed to protect children from sexual abuse. The ICO found it did not keep confidential and sensitive personal information secure; a breach of the Data Protection Act 1998. On February 27, 2017, an IICSA staffer sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘blind copy’ field by mistake. This meant the recipients could see each other’s email addresses, identifying them as possible victims of child sexual abuse. Some 52 of the email addresses contained the full names of the participants or had a full name label attached.
The Inquiry was alerted to the breach by a recipient of the email who entered two further email addresses into the ‘to’ field before clicking on ‘Reply All’. The Inquiry then sent three emails asking the recipients to delete the original email and not to circulate further. One of these emails generated 39 ‘Reply All’ emails.
ICO Director of Investigations, Steve Eckersley, said: “This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen. People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”
The Inquiry and the ICO received 22 complaints about the security breach. The ICO found that the Inquiry breached its own privacy notice by sharing participants’ emails addresses with an IT company (hired to manage the mailing list) without their consent. The IICSA has apologised to those affected; and said it had amended its handling processes for personal data.
The fine, while steep in terms of the maximum penalties of the Data Protection Act 1998, where the maximum was £500,000, was not according to the 2018 Act which has replaced the 1998 law, because the date of the breach was before May 2018 when the new law came into force; which includes provision for far higher fines.
