A group that studies child sexual abuse has been fined £200,000 by the UK Information Commissioner’s Office (ICO) for identifying possible victims in a bulk email.
The Independent Inquiry into Child Sexual Abuse (IISCA) failed to secure confidential data, putting it in violation of the Data Protection Act 1998, according to the ICO.
The IISCA was founded in 2014 to probe if institutions failed to protect children from sexual abuse.
The incident occurred when an IICSA staff member sent a bcc email to 90 study participants in February 2017 to announce a public hearing.
A follow-up email was sent to correct an error. In this instance, though, email addresses were entered into the ‘to’ field instead of the ‘bcc’ field, allowing recipients to see email addresses of other possible victims of child sexual abuse, the ICO alleges.
Alerted to the problem by a recipient who had entered two further email addresses into the ‘to’ field before clicking on Reply All, the IISCA sent three emails asking individuals to delete the original email.
One of those emails generated 39 Reply All emails, the ICO charges.
An IT company hired by the IISCA to manage the mailing list said it would prevent individuals from replying to the entire list. But the IICSA breached its privacy notice by sharing email addresses with the IT vendor without the participants’ consent, the ICO contends.
The ICO received 22 complaints, including one from a person who was “very distressed.”
“This incident placed vulnerable people at risk, which is concerning,” states Steve Eckersley, ICO director of investigations. “IISCA should and could have done more to ensure this did not happen.”
Eckersley adds: “People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”
The IICSA has apologized or the episode, stating: "After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimized," according to published reports.