Abuse inquiry fined £200,000 for email data breach

The Independent Inquiry into Child Sexual Abuse has been fined £200,000 after sending a mass email that identified possible abuse victims, the Information Commissioner’s Office says.
An inquiry staff member emailed 90 people using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses, it said.
The ICO said the incident last year was a breach of the Data Protection Act.
The inquiry said it had apologised and reviewed its data-handling.
Twenty-two complaints were received about the breach and one person told the ICO he was “very distressed” by it.
The inquiry, which covers England and Wales, was set up in 2014 with the aim to investigate claims against local authorities, religious organisations, the armed forces and public and private institutions – and people in the public eye.
An inquiry staff member first sent a blind carbon copy (bcc) email on 27 February 2017 to 90 inquiry participants telling them about a public hearing, the ICO said.
After noticing an error in the email, a correction was sent but email addresses were entered into the “to” field instead, revealing the addresses of the recipients.
Fifty-two of the email addresses contained full names or had a full name label attached.
The inquiry was alerted to the breach by a recipient who entered two further email addresses into the “to” field, before clicking on “reply all”.
It then sent three emails asking those who had received the email to delete it and not to circulate it further.
The ICO investigation found the inquiry:
Steve Eckersley, the ICO’s director of investigations, said the breach “placed vulnerable people at risk” and called this “concerning”.
“IICSA should and could have done more to ensure this did not happen,” he said.

Source: BBC

Comment here