The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000, under the Data Protection Act preceding the GDPR, for sending a bulk email to 90 recipients that identified abuse victims. The inquiry was set up in 2014 to investigate claims against various public and private institutions which failed to protect children from sexual abuse.

How the breach unfolded

On the 27 February 2017, an IICSA staff member sent a blind carbon copy email (BCC) to 90 recipients that were participating in the inquiry. Subsequently, the staff member noticed an error in the email and sent a correction. However, this time did not send the email as BCC and sent the correction to all 90 recipients, resulting in all the recipients seeing each other’s details and identifying possible victims of abuse. 52 of the email addresses revealed the full names of recipients.

The IICSA was alerted to the breach by a recipient who responded to the email after adding an additional two email addresses and sending the email ‘Reply All’.

The IICSA proceeded to send three emails requesting the recipients to delete the original email and refrain from circulating it any further. One of these emails generated 39 ‘Reply All’ emails.

The ICO’s findings

The ICO investigated the incident and its findings include:

  • The IICSA did not use an email account that was able to send a separate email to each participant
  • The IICSA did not provide its employees with adequate training or guidance on the importance of using the BCC function and not sending bulk emails
  • The IICSA engaged an IT company to manage the mailing list and relied on that company to prevent individuals from using the ‘Reply All’ function
  • The IICSA breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent.

Steve Eckersley, ICO Director of Investigations, said: “People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”

Galaxkey’s Authorised Data Distribution solves this recurring problem

Accidental bulk email sends happen far too often. Sharing personal information in this manner, even accidentally, is a data breach as well as a breach of privacy and many businesses do not realise this.

In a similar case, the ICO fined Gloucestershire Police £80,000 for sending a bulk email to 56 recipients regarding an abuse enquiry in 2016. The officer responsible did not use the BCC function, but instead sent the email to all the recipients resulting in them (victims, witnesses, lawyers and journalists) all obtaining access to the full names and email addresses of each other.

Galaxkey’s Authorised Data Distribution (ADD) is designed to stop accidental bulk email sends and unauthorised distribution of information. With ADD the email always remains under the control of the original sender. The owner of the email controls the permissions for that email: who can and can’t forward it, to whom it can be forwarded and can block replies to it. Limiting the functions relating to the email and any distribution of the information. The Reply and Forward function can be blocked.

add feature

This Galaxkey functionally is a practical and easy way to add a further layer of security. It limits the recipients’ ability to unintentionally communicate or share personal and sensitive information with anyone not authorised to view it and helps to manage and track the flow of data.

With the correct measures in place, breaches and damages resulting from bulk email sends can be avoided!

ICO: