Inquiry into child sexual abuse fined £200k after data breach

Inquiry sent bulk email that identified possible victims of child sexual abuse

The UK’s Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 (€224,223) after sending a bulk email that identified possible victims of child sexual abuse.

Vulnerable people were placed at risk owing to the error, after the email was sent to 90 inquiry participants on February 27th last year, the UK’s Information Commissioner’s Office (ICO) said.

Some 52 of the email addresses contained people’s full names, leaving at least one complainant “very distressed”, the ICO said.

Director of investigations, Steve Eckersley, said: “People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.


“IICSA should and could have done more to ensure this did not happen.”

Set up in 2014, the inquiry is looking at the extent to which institutions failed to protect children from sexual abuse.

The mistaken disclosure of the sensitive personal information is a breach of the Data Protection Act 1998, the ICO said, since the breach preceded the 2018 act.

The IICSA failed to use an email account that could send a separate email to each participant and failed to train staff on the importance of checking that email addresses were entered into the “bcc” section, according to the ICO.

It also hired an IT company to manage the mailing list, and breached its own privacy notice by sharing participants’ email addresses with the company without their consent, the ICO investigation found.–PA