Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

Breach identified potential victims taking part in probe

The UK's data watchdog today issued the Independent Inquiry into Child Sexual Abuse (IICSA) a £200,000 penalty after it sent a bulk email to participants that identified possible victims of historical crimes.

The Information Commissioner's Office (ICO) said IICSA – set up in 2014 to probe the degree to which institutions in England and Wales failed in their duty to protect young people from molestation – had breached the Data Protection Act (DPA) 1998 by not keeping confidential and sensitive personal data secure.

A employee of the inquiry fired a blind carbon copy (BCC) email to 90 people participating to inform them of a public hearing. Upon realising their error, a correction was issued but email addresses were mistakenly entered into the "to" field rather than BCC.

As a result, all recipients were able to view each other's email addresses, highlighting other possible victims child sexual abuse. Some 52 of the addresses included full names or had a full name label attached.

One recipient notified IICSA of the breach, and they then entered two further email addresses into the "to" field before replying to all in the chain.

IICSA subsequently sent three emails requesting that the recipients delete the original email and not circulate it further, but one of these in turn led to 39 "Reply All" emails.

According to the ICO, the inquiry: failed to use an account that could send separate emails to each person involved in the cases; didn't give guidance or training on BCC emails; hired an external IT firm to manage the mailing list and relied on advice from the third party that it would prevent email recipients from replying to the whole list; and shared those email addresses with the IT company in breach of its own privacy notice.

The ICO's director of investigations, Steve Eckersley, said the breach placed "vulnerable" people "at risk" and the ICCSA "should and could have done more to ensure this did not happen".

"People's email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant," he added.

The ICO and IICSA were sent 22 complaints about the security breach, one from someone who said they were "very distressed" by it.

The breach was dealt with under the DPA 1998, not the 2018 Act that replaced it, due to the date of the breach in February 2017.

The Inquiry said it takes data protection "very seriously" and apologised to the victims impacted by this security breach.

"After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimised," the IICSA said. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like