Gloucestershire Police has been fined £80,000 under the Data Protection Act 1998 after sending a bulk email (an update on an abuse allegation case) to 56 recipients on the 19 December 2016. The new Data Protection Act of 2018 did not apply because the breach occurred prior to its enforcement.

The officer did not use the blind carbon copy (BCC) function, but instead sent the email to all the recipients resulting in them (victims, witnesses, lawyers and journalists) all obtaining access to the full names and email addresses of each other.

Sharing the details in this manner, even when in error, is a data breach as well as a breach of privacy. If the force had used the BCC function when sending the message, all the recipients entered into the BCC field would have been concealed from one another and the breach would have been avoided.

ICO Head of Enforcement, Steve Eckersley said:

“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law-especially when such sensitive and confidential information was involved.”

The email contents also referenced further details relating to the investigation, such as schools and organisations. This information could be considered linkable and identifiable information and could potentially be used in combination with other information to provide further insight into an individual’s private life.

56 emails were sent, one was undeliverable and three successfully recalled two days later. So, the details of 56 people were visible to 52 recipients.

“This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity,” explained Steve Eckersley, ICO Head of Enforcement.