The UK's data watchdog today issued the Independent Inquiry into Child Sexual Abuse (IICSA) a £200,000 penalty after it sent a bulk email to participants that identified possible victims of historical crimes.
The Information Commissioner's Office (ICO) said IICSA – set up in 2014 to probe the degree to which institutions in England and Wales failed in their duty to protect young people from molestation – had breached the Data Protection Act (DPA) 1998 by not keeping confidential and sensitive personal data secure.
A employee of the inquiry fired a blind carbon copy (BCC) email to 90 people participating to inform them of a public hearing. Upon realising their error, a correction was issued but email addresses were mistakenly entered into the "to" field rather than BCC.
As a result, all recipients were able to view each other's email addresses, highlighting other possible victims child sexual abuse. Some 52 of the addresses included full names or had a full name label attached.
One recipient notified IICSA of the breach, and they then entered two further email addresses into the "to" field before replying to all in the chain.
IICSA subsequently sent three emails requesting that the recipients delete the original email and not circulate it further, but one of these in turn led to 39 "Reply All" emails.
According to the ICO, the inquiry: failed to use an account that could send separate emails to each person involved in the cases; didn't give guidance or training on BCC emails; hired an external IT firm to manage the mailing list and relied on advice from the third party that it would prevent email recipients from replying to the whole list; and shared those email addresses with the IT company in breach of its own privacy notice.
The ICO's director of investigations, Steve Eckersley, said the breach placed "vulnerable" people "at risk" and the ICCSA "should and could have done more to ensure this did not happen".
"People's email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant," he added.
The ICO and IICSA were sent 22 complaints about the security breach, one from someone who said they were "very distressed" by it.
The breach was dealt with under the DPA 1998, not the 2018 Act that replaced it, due to the date of the breach in February 2017.
The Inquiry said it takes data protection "very seriously" and apologised to the victims impacted by this security breach.
"After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimised," the IICSA said. ®