Child sex abuse inquiry fined £200000 for bulk email identifying possible victims

Want the best of The Telegraph direct to your email and WhatsApp? Sign up to our free twice-daily  Front Page newsletter and new  audio briefings. The ICO said the Inquiry had failed to give staff proper training about the importance of using the “bcc” field, and relied on the assurance of the IT company hired to manage the mailing list that people would not be able to reply to the entire list. Several months later, in July 2017, a further incident arose when a recipient clicked on “Reply All” in response to an email from the Inquiry, sent via the mailing list, and revealed their email to the entire list. IICSA had also breached its own privacy notice by sharing participants’ emails addresses with the IT company without their consent. The Independent Inquiry into Child Sexual Abuse has been fined £200,000 after sending a bulk email that identified possible victims of child sexual abuse, the  Information Commissioner’s Office has said. The inquiry sent a blind carbon copy email to 90 participants on February 27, 2017, telling them about a public hearing, but then a member of staff sent a correction where the email addresses were entered into the “to” field instead, the ICO said.This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.Steve Eckersley, the ICO’s director of investigations, said the incident “placed vulnerable people at risk” and was concerning, adding that the inquiry “should and could have done more to ensure this did not happen”.”People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”One of the respondents said he was “very distressed” by the data breach, and in total the ICO received 22 complaints.Of the 90 email addresses, 52 contained the recipient’s full name or a label with their full name. IICSA became aware of the breach when a recipient added two further email addresses to the “to” field and clicked “reply all”.  The Inquiry then sent three emails asking the recipients to delete the original email and not to send it on. One of these emails led to another 39 “Reply All” emails.  read more