Child sex abuse inquiry fined £200,000 for data misuse

The Independent Inquiry into Child Sexual Abuse has been fined £200,000 by the Information Commissioner’s Office after a catalogue of data governance issues triggered a bulk email which identified possible victims of historic child sexual abuse.
The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, was itself found wanting by not keeping confidential and sensitive personal information secure.
On February 27, 2017, a member of staff working for the Inquiry sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.
This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.
Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.
The Inquiry was alerted to the breach by a recipient of the email who entered two further email addresses into the ‘to’ field before clicking on ‘Reply All’.
The Inquiry then sent three emails asking the recipients to delete the original email and not to circulate further. One of these emails generated 39 ‘Reply All’ emails.
The catalagoue of errors included the fact that the Inquiry failed to use an email account that could send a separate email to each participant and failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field.
The Inquiry also hired an IT company to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list;
The Inquiry also breached its own privacy notice by sharing participants’ emails addresses with the IT company without their consent.
The Inquiry and the ICO received 22 complaints about the security breach, and one complainant told the ICO he was “very distressed” by the security breach. The Inquiry has since apologised to the affected individuals.
ICO director of investigations Steve Eckersley said: “This incident placed vulnerable people at risk, which is concerning. The Inquiry should and could have done more to ensure this did not happen.
“People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”
Last month, Gloucestershire Police was fined £80,000 for sending a bulk email that also identified victims of historical child abuse.