Independent Inquiry into Childhood Sexual Abuse fined £200,000 for email data leak

The Information Commissioner's Office (the ICO) has fined the Independent Inquiry into Childhood Sexual Abuse (IICSA) £200,000 following a data leak on 27 February 2018.  The leak occurred  when a member of staff sent a 'round-robin' email, but mistakenly used the 'to' field instead of the 'bcc' field, inadvertently disclosing the email addresses of 90 individuals (known as 'Participants') who had anonymously submitted evidence to the inquiry about their childhood sexual abuse.  The security breach was exacerbated because 39 'reply to all' emails were sent by 22 of the recipients.

The ICO found that the IICSA had breached the Seventh Data Protection Principle under the Data Protection Act 1998 (the prevailing law at the time of the breach).  This Principle requires organisations to take appropriate technical and organisational measures against the unauthorised data processing.  In particular, it had failed to use an email account that could send separate emails to Participants and it had failed to provide staff with adequate training on the importance of double-checking that emails were entered into the 'bcc' field.

The ICO was satisfied that the contravention was serious.  52 of the 90 emails contained the full names of the Participants.  23 contained a partial name.  The recipients of the emails could infer that many of the other recipients were victims and survivors of childhood sexual abuse.  This information obviously amounted to sensitive personal data and the IICSA had given assurances that Participant's identities would be protected.  The ICO noted that the Participants were already suffering the lifelong consequences of child sexual abuse and were therefore extremely vulnerable.

Imposing the penalty, the ICO observed that whilst the IICSA had apologised that it had failed to take effective remedial action thereby exacerbating the breach. It had received some 22 complaints about the breach.

A copy of the ICO's Monetary Penalty Notice can be found here.

This type of data breach is sadly not unusual.  The Chelsea and Westminster NHS Foundation Trust was fined £180,000 by the ICO in May 2016 after its 56 Dean Street sexual health clinic sent an email newsletter to 781 patients receiving HIV treatment, disclosing their identities to each other (see our blog piece here).  The intention had been to use the ‘bcc’ section rather than ‘cc’ section.  Similarly, in June 2017, an employee of the University of East Anglia ('UEA') sent information containing highly personal information about students to 191 American Studies undergraduates by making an error when entering the recipient email address (see our blog piece here). The UEA avoided ICO sanction.

In addition to any regulatory action taken by the ICO, the IICSA faces the prospect of individual claims for compensation from the individuals affected pursuant to the Data Protection Act 1998 and/or for the misuse of private information/breach of confidence.

Click here if you require more information on how Brett Wilson LLP privacy solicitors can assist you if your privacy has been breached.