The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 by the Information Commissioner’s Office (ICO) for identifying possible victims of non-recent child sexual abuse.
The litany of errors began when an IICSA employee sent a blind carbon copy (bcc) email to 90 Inquiry participants informing them of an upcoming public hearing. That was all well and good, but after noticing an error in the email, a well-meaning correction was sent, but this time all email addresses were entered into the ‘to’ field instead of the ‘bcc’ field. All recipients of the email were then able to see email addresses of other recipients who were possible victims of child sexual abuse.
Alerted to the mistake by a recipient, who entered two further email addresses into the ‘to’ field before clicking on ‘Reply All’, IICSA sent three emails to the recipients asking them to delete the original email. One of these emails generated 39 ‘Reply All’ emails from 22 recipients. The same number of individuals complained to the ICO, including from a person who was “very distressed”.
Like many organisations slapped with an ICO fine for a personal data breach, IICSA failed to have basic security measures and training in place to prevent the breach from happening. The serious mistakes made by IICSA could have been made by any organisation – including schools – using bulk email lists to communicate with individuals. Just think about your mailing lists for current students and parents, your parents association or alumni body. An increasing number of schools will also hold records on former pupils who were possible victims of non-recent child sexual abuse and may need to communicate with them by email.
What can schools learn from IICSA’s errors? Here are some (basic) lessons gleaned from the ICO investigation findings:
1. Use an email account that can send a separate email to each individual.
2. Failing that, provide staff with guidance or training on the importance of double checking that the email addresses are entered into the ‘bcc’ field.
3. Make sure your privacy notice and data collection forms reflect what you actually do. IICSA shared email addresses with their IT supplier without individuals’ consent contrary to their own documentation.
This is all common sense you might say, but IICSA was not the first data controller to be fined for a bulk email blunder, and we doubt it will be the last.