23rd July 2018

Data breach “placed vulnerable people at risk” warns Information Commissioners Office

The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 by the Information Commissioners Office (ICO) after sending a bulk email with details of possible victims of non-recent child sexual abuse.

IICSA was set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse.  It has been reported that on 27 February 2017 an IICSA staff member sent an email to 90 inquiry participants.  The particular email sent allowed each recipient to see each other’s email addresses thus identifying them as possible victims of child sexual abuse.  52 of the email addresses contained the full names of the participants or had a full name label attached.

The ICO stated “people’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant”.

IICSA and the ICO received 22 complaints about the security breach.  It is understood IICSA has since apologised to the affected individuals.

The breach occurred before the implementation of the Data Protection Act 2018 and therefore was dealt with under the provisions and maximum penalties under the Data Protection Act 1998.  The Data Protection Act 2018 came into force on 25 May 2018 and provides a maximum fine, which can be levied by the ICO, of up to £17 million pounds or 4% of global turnover.  Under the 1998 Act the maximum financial penalty is £500,000.

Our Solicitors Richard Hardy and Andrew Freckleton specialise in data breaches and are currently pursuing a group claim against Newcastle City Council following a data breach by email concerning child adoption information.

If you believe your information has been subject to a data breach please contact Richard Hardy at richardhardy@benhoarebell.co.uk or telephone 0191 516 7926.

Blog by Richard Hardy, Partner