Most of us have probably felt the cold sense of horror and dread that comes with sending an e-mail to the wrong person. Usually, it’s an innocent mistake and nothing that can’t be fixed with a swift apology.
For the Independent Inquiry into Child Sex Abuse though, sending the wrong e-mail was a major data breach which resulted in them receiving a £200,000 fine.
Image Credit: Annie Spratt / Unsplash
The Independent Inquiry into Child Sexual Abuse was set up in 2014 after various investigations exposed widespread sexual abuse of children going back decades, and showed that institutions and organisations responsible for child welfare had failed to protect them.
The Inquiry has been tasked with investigating institutional failures, and hearing the experiences of victims and survivors is a central part of this. To assist with this work, the Inquiry is working with a number of victims and survivors who want to share their stories.
Last February, an Inquiry staff member sent a blind carbon copy (bcc) e-mail to around 90 participants informing them of a public hearing. This meant that none of the recipients could see the names and addresses of others receiving the e-mail.
When someone noticed an error in the e-mail and sent a further e-mail to correct it, they mistakenly entered the names and e-mail addresses into the normal “to” field of the e-mail. This allowed all recipients to see each other’s e-mail addresses, identifying them as possible victims of sexual abuse.
Image: Aricka Lewis/ Unsplash
The Inquiry was referred to the Information Commissioner’s Office (ICO), the independent body responsible for upholding information rights and investigating potential breaches.
This incident placed vulnerable people at risk, which is concerning. [They] should and could have done more to ensure this did not happen.
Information Commissioner’s Office
The ICO found several failings on the part of the Inquiry, including its evident failure to use an e-mail system which could send separate e-mails to each participant. The ICO argued that the Inquiry had failed to provide any guidance or training for staff about the importance of checking that the participants’ addresses were entered into the bcc field. They also found that the Inquiry had shared participants’ e-mails, without their consent, with an external IT company who managed the mailing list.
The ICO’s Director of Investigations said that the incident “placed vulnerable people at risk”, and at least one participant was described as being “very distressed” by the incident.
The failings of the Inquiry amounted to a breach of the Data Protection Act 1998, and the ICO fined the Inquiry £200,000 as a result.
Data Protection and Human Rights
Image Credit: Joshua Sortino / Unsplash
Having privacy is an important part of human rights – it helps us maintain our autonomy and means that we are free to live our lives the way we want to. It also means that we are able to prevent others from having access to our private or intimate details without consent.
Our personal data is protected by Article 8 of the Human Rights Convention, which provides a right to respect for “private and family life, home and correspondence”. Personal data is also protected by more specific rules set out in the EU Charter of Fundamental Rights, which was implemented in the UK through the Data Protection Act 1998.
The Data Protection Act 1998 has now been superseded by the Data Protection Act 2018, which came into force in May 2018, and which implements the EU General Data Protection Regulation (GDPR) – as you might have noticed from the hundreds of e-mails piling up in your inbox earlier this year.
In this case, however, the breach was dealt with under the Data Protection Act, because it occurred before the GDPR came into force.
Image: Tachina Lee/ Unsplash
The breach from the Inquiry is just one of a number of recent breaches which demonstrate just how vulnerable our data can be – from the recent Cambridge Analytica scandal, to the Dating App Grindr sharing users’ HIV status with outside companies. At a time when personal data is being generated, processed and used at a rate like never before, our rights to data protection have become even more important.
As for the Inquiry, it will be expected to pay the fine and take action to ensure that such a breach doesn’t happen again.
This article was edited on 24.7.18 as it initially, incorrectly, stated that the IICSA was fined £20,000. It was in fact fined £200,000