The Independent Inquiry into Child Sex Abuse (IICSA) has been fined £200,000 by the Information Commisioner’s Office (ICO) after sending a bulk email that identified possible victims of non-recent child sex abuse.
In February 2017 an IICSA staff member sent a blind carbon copy email to 90 inquiry participants telling them about a public hearing. After noticing the error a correction was sent but the email addresses were entered to the ‘to’ field of ‘bcc’.
This allowed the recipients to see each other’s email addresses, identifying them as possible victims of abuse. 52 of the email addresses contained full names.
IICSA was alerted to the breach by a recipient of the email who entered two further email addresses in the ‘to’ field before clicking on ‘reply all’. The inquiry then sent three emails asking the recipients to delete the original email and not circulate it further, but one of these generated 39 ‘reply all’ messages.
Among the findings of the ICO investigation was that IICSA failed to use an email account that could send a separate message to each participant, and failed to provide staff with adequate guidance or training.
It also hired an IT company to manage the mailing list, thereby breaching its own privacy notice, and relied on its advice that it would prevent individuals from replying to the entire list.
In addition, in July 2017 a recipient clicked on ‘reply all’ in response to an email from IICSA via its mailing list and revealed their email to everybody on it.
Steve Eckersley, the ICO director of investigations, said: “This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.
“People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”
Image by Loteriademedellin, own work, CC BY-SA 3.0