Independent Enquiry into Child Abuse has been fined £200,000 based on ICO children’s data decision.
The ICO has fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000, after they sent a bulk email that identified possible victims of non-recent child sexual abuse, according to ICO Children’s data decision.
The Inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure. This is a breach of the Data Protection Act 1998.
An IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing, on the 27 February 2017. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.
This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse, according to ICO children’s data decision. Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.