ICO slaps £80,000 fine on Gloucestershire Police for leaking details of abuse victims

ICO slaps £80,000 fine on Gloucestershire Police for leaking details of abuse victims

IICSA fined £200,000 for human error that exposed identities of child abuse victims

The Information Commissioner's Office has fined Gloucestershire Police £80,000 for failing to conceal the identity of dozens of victims of child abuse, thereby causing immense distress to the affected victims.

The breach occurred on 19th December 2016 when an officer at Gloucestershire Police sent a bulk email to 56 recipients to inform them about an update on a case, but instead of putting the e-mail addresses in the 'bcc' field, added all the email addresses in the 'To' field.

Human error led to the data breach

According to the Information Commissioner's Office, recipients of the email included victims, witnesses, lawyers and journalists and each recipient could view full names and email addresses of other recipients.

"This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity.

"The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved," said Steve Eckersley, Head of Enforcement at the Information Commissioner's Office.

"This incident again reinforces the need for “data centric” security technologies. This would help protect data at source, removing the risk factor associated with human error and insider threats," said Jan van Vliet, VP and GM EMEA at Digital Guardian.

"If Gloucestershire Police had had such technologies in place, it could have prevented this highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients. All organisations, especially those that handle sensitive personal data, have a duty of care to prioritise data protection and prevent incidents like this taking place," he added.

Exemplary fines handed out to police forces

Back in April, the ICO had also slapped a £130,000 fine on Humberside Police for failing to secure three disks that contained the testimony of a rape victim and also contained sensitive personal information of the victim. According to the ICO, Humberside Police failed to encrypt the disks and lost the disks while posting them to Cleveland Police.

“We see far too many cases where police forces fail to look after disks containing the highly sensitive personal information contained within victim or witness interviews," said Steve Eckersley, head of enforcement at the Information Commissioner's Office.

“Anyone working in a police force has a duty to stop and think whenever they handle personal details – making sure they are using the most appropriate method for transferring information and considering the consequences of it being lost before going ahead. Staff training in this area is vital.

“Police forces deal with such sensitive information that when things go wrong, it’s likely to be serious. This case shows how crucial it is to keep a clear record of what’s been sent, when and who to," he added.

Copyright Lyonsdown Limited 2020

Top Articles

Malaysia Airlines flyers impacted in 9-year-long supplier data breach

Malaysia Airlines has suffered a major breach that compromised personal data records of its frequent flyer customers for over nine years.

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Related Articles