The Independent inquiry into Child Sexual revilement (IICSA) has been fined �200,000 by the info Commissioners Office (ICO) after sending a bulk email that identified possible victims of non-recent child sexual abuse.
The Inquiry, localise up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal info secure. This is a nag of the Data tribute turn 1998.
On 27 February 2017, an IICSA faculty member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the to field, instead of the bcc theater by mistake.
This allowed the recipients to reckon each others email addresses, identifying them as possible victims of tyke sexual abuse.
Fifty-two of the email addresses contained the full names of the participants or had a full name tag attached.
The Inquiry was alerted to the plug by a recipient of the email who entered ii further email addresses into the to field before clicking on Reply All.
The Inquiry then sent trey emails asking the recipients to delete the original email and not to circulate further. One of these emails generated 39 Reply All emails.
ICO Director of Investigations, Steve Eckersley, said:
This incident placed vulnerable multitude at risk, which is concerning. IICSA should and could make done more to ensure this did not happen.
Peoples email addresses can live searched via social networks and lookup engines, so the risk that they could be identified was significant.
The ICO investigation found:
The inquiry failed to usage an email account that could send a separate email to each participant;
The Inquiry failed to provide faculty with any (or any adequate) guidance or preparation on the importance of two-bagger checking that the participants email addresses were entered into the bcc field;
The Inquiry hired an IT companion to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list;
In July 2017 a recipient clicked on Reply All in response to an email from the Inquiry, via the mailing list, and revealed their email to the entire list;
The inquiry hacked their own privateness mark by sharing participants emails addresses with the IT fellowship without their consent.
The enquiry and the ICO received 22 complaints about the security hack, and ace complainant told the ICO he was very distressed by the security hack. IICSA has since apologised to the affected individuals.
The case was dealt with under the provisions and maximum penalties of the data Protection deed 1998, and not the 2018 routine which has replaced it, because of the date of the hack.