Child sexual abuse investigation fined £200,000 after sending bulk email identifying possible victims

Data breach 'placed vulnerable people at risk', warns Information Commissioner’s Office

Chris Baynes
Wednesday 18 July 2018 13:33 BST
Professor Alexis Jay, chair of the Independent Inquiry into Child Sexual Abuse
Professor Alexis Jay, chair of the Independent Inquiry into Child Sexual Abuse

The Independent Inquiry into Child Sexual Abuse has been fined £200,000 after sending a bulk email that identified possible victims.

Some 90 participants in the public inquiry were potentially identified by the “concerning” blunder, said the Information Commissioner’s Office (ICO), which warned the incident had “placed vulnerable people at risk”.

The incident saw 52 participants identified by their full name, with at least one said to have been “very distressed” by the security breach.

ICO director of investigations Steve Eckersley said: “This incident placed vulnerable people at risk, which is concerning. IICSA [the inquiry] should and could have done more to ensure this did not happen.

“People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”

The breach happened on 27 February last year, when an inquiry staff member emailed 90 participants to inform them about a public hearing.

The employee mistakenly entered their email addresses into the “to” field, allowing all the recipients to see who else received the message, rather than the “blind carbon copy – Bcc” field, which would have identified only each individual recipient.

In the incident, 52 of the participants who received the email had their full names linked to their addresses.

The inquiry and the ICO received 22 complaints about the email, which breached the Data Protection Act 1998.

The IICSA, set up in 2014 to investigate institutional failures to protect children from sexual abuse, had not kept confidential and sensitive personal information secure, the ICO said.

An ICO investigation found inquiry staff had failed to use an email account that could send a separate email to each recipient, and had not received any training or guidance on the importance of checking emails were sent using the “blind carbon copy” field.

The inquiry had also hired an IT company to manage the mailing list and breached its own privacy notice by sharing participants’ email addresses with the company without their consent, the ICO said.

An IICSA spokeswoman said: “The inquiry takes its data protection obligations very seriously and we have apologised to those affected by the data breach.

“After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimised.”

Because of the date of the data breach, the case was not dealt with under the Data Protection Act 2018, which gives the ICO the power to impose fines of up to £17m. Under the 1998 Act, the maximum financial penalty was £500,000.

The IICSA has been beset by controversy since it was announced by Theresa May, then home secretary.

Its chair, Prof Alexis Jay, was the fourth appointed to oversee the probe after her three predecessors resigned.

In November 2016 one of the largest survivors’ groups, representing hundreds of children who lived in care homes in Lambeth, pulled out of participating in the inquiry, saying it had lost confidence in it.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in