The Information Commissioner's Office has fined Gloucestershire Police £80,000 for failing to conceal the identity of dozens of victims of child abuse, thereby causing immense distress to the affected victims.
The breach occurred on 19th December 2016 when an officer at Gloucestershire Police sent a bulk email to 56 recipients to inform them about an update on a case, but instead of putting the e-mail addresses in the 'bcc' field, added all the email addresses in the 'To' field.
Human error led to the data breach
According to the Information Commissioner's Office, recipients of the email included victims, witnesses, lawyers and journalists and each recipient could view full names and email addresses of other recipients.
"This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity.
"The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved," said Steve Eckersley, Head of Enforcement at the Information Commissioner's Office.
"This incident again reinforces the need for “data centric” security technologies. This would help protect data at source, removing the risk factor associated with human error and insider threats," said Jan van Vliet, VP and GM EMEA at Digital Guardian.
"If Gloucestershire Police had had such technologies in place, it could have prevented this highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients. All organisations, especially those that handle sensitive personal data, have a duty of care to prioritise data protection and prevent incidents like this taking place," he added.
Exemplary fines handed out to police forces
Back in April, the ICO had also slapped a £130,000 fine on Humberside Police for failing to secure three disks that contained the testimony of a rape victim and also contained sensitive personal information of the victim. According to the ICO, Humberside Police failed to encrypt the disks and lost the disks while posting them to Cleveland Police.
“We see far too many cases where police forces fail to look after disks containing the highly sensitive personal information contained within victim or witness interviews," said Steve Eckersley, head of enforcement at the Information Commissioner's Office.
“Anyone working in a police force has a duty to stop and think whenever they handle personal details – making sure they are using the most appropriate method for transferring information and considering the consequences of it being lost before going ahead. Staff training in this area is vital.
“Police forces deal with such sensitive information that when things go wrong, it’s likely to be serious. This case shows how crucial it is to keep a clear record of what’s been sent, when and who to," he added.