The Information Commissioner's Office has fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 for failing to protect the identity of possible victims of child abuse after a human error compromised identities of such victims to third parties.
One little error proves costly for IICSA
The 'human error' occurred in February last year when, instead of putting e-mail addresses of possible child abuse victims in the 'bcc' field, the employee erroneously pasted e-mail addresses of 90 Inquiry participants in the 'To' field.
Out of the 90 e-mail addresses that were visible to all recipients, 52 contained the full names of the participants or had a full name label attached, thereby revealing their identities. The organisation, as well as the ICO, were alerted about the breach by one of the recipients who clicked 'reply all' to the e-mail sent by IICSA.
After carrying out an investigation into the breach, the ICO observed that IICSA did not provide its staff with any training or guidance on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field.
The watchdog also observed that IICSA breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent, and failed to use an e-mail account that could send a separate email to each participant.
"This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen. People’s e-mail addresses can be searched via social networks and search engines, so the risk that they could be identified was significant," said Steve Eckersley, Director of Investigations at the ICO.
Based on its findings, the ICO placed a fine of £200,000 on IICSA as per the Data Protection Act, 1998. Had the breach taken place on or after 25th May of this year, the fine under the GDPR could have been in millions.
"The ICO has the power under the Data Protection Act 2018 to impose a civil monetary penalty on a data controller of up to £17million (20m Euro) or 4% of global turnover. Under the 1998 Act, the maximum financial penalty is £500,000," reads the Information Commissioner's website.
Repeated instances of human error
This is the second such fine imposed by the ICO on erring organisations in as many months. Back in June, the Information Commissioner's Office fined Gloucestershire Police £80,000 for failing to conceal the identity of dozens of victims of child abuse, thereby causing immense distress to the affected victims.
The breach occurred on 19th December 2016 when an officer at Gloucestershire Police sent a bulk email to 56 recipients to inform them about an update on a case, but instead of putting the e-mail addresses in the 'bcc' field, added all the email addresses in the 'To' field. Basically, both Gloucestershire Police and ISSCA were guilty of the same mistake even though the latter ultimately faced a much larger fine.
"This incident again reinforces the need for “data centric” security technologies. This would help protect data at source, removing the risk factor associated with human error and insider threats," said Jan van Vliet, VP and GM EMEA at Digital Guardian.
"If Gloucestershire Police had had such technologies in place, it could have prevented this highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients. All organisations, especially those that handle sensitive personal data, have a duty of care to prioritise data protection and prevent incidents like this taking place," he added.
Back in April, the ICO had also slapped a £130,000 fine on Humberside Police for failing to secure three disks that contained the testimony of a rape victim and also contained sensitive personal information of the victim. According to the ICO, Humberside Police failed to encrypt the disks and lost the disks while posting them to Cleveland Police.
“We see far too many cases where police forces fail to look after disks containing the highly sensitive personal information contained within victim or witness interviews," said Steve Eckersley, head of enforcement at the Information Commissioner's Office.