Gloucestershire Police has been fined £80,000 by the Information Commissioner’s Office (ICO) after sending a bulk email in error which revealed the names of child abuse victims to strangers.
Two years ago, an officer sent an update on an ongoing case of historic child abuse to 56 recipients, but forgot to BCC them, meaning their names were exposed to the other recipients.
This meant that each recipient – which the ICO says “potentially included victims, witnesses, lawyers and journalists” – could see the full email address and name of the others on the same email.
Of the 56 emails sent, one was not deliverable and three were successfully recalled, after the police force identified the privacy snafu two days later. That means 56 names and email addresses were visible to up to 52 recipients, according to the ICO.
“This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity,” said ICO head of enforcement, Steve Eckersley.
“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”
As the privacy leak occurred on 19 December 2016 the ICO fined the force under the Data Protection Act 1998, rather than the 2018 Act which effectively incorporates the GDPR into UK law. It’s unclear whether that meant a reduced fine for the police force.
According to the data protection watchdog there were 957 reported incidents in the last quarter, a 17% increase on the previous three months.
Of those, failure to use BCC when sending emails was one of the top five data security incident types.