Gloucester Police Fined For Disclosing Victim Details In Bulk Email

data breach, security

An officer failed to activate the ‘BCC’ function in a bulk email, landing the force a £80,000 penalty

The Information Commissioner’s Office (ICO) has fined Gloucester Police £80,000 after it inadvertently identified child abuse victims in a bulk email.

The case is one of the few that are still being dealt with under the provisions of the 1998 Data Protection Act, rather than the General Data Protection Regulation (GDPR), which came into force last month, and which allows for much higher fines than older legislation.

That’s because of the date of the incident, which took place on 19 December 2016.

At that time an officer involved in an investigation of alleged historical abuse sent an update on the case to 56 recipients by email, but entered the addresses into the ‘To’ field and did not activate the ‘BCC’ function that would have hidden the details from other recipients.

Details disclosed

That meant each recipient could see the full names and email addresses of all the others. The email made reference to schools and other organisations being investigated.

The ICO said that many of the victims were also legally entitled to lifelong anonymity. It noted that email addresses can be used in searches of social media to draw up large amounts of personal information on individuals.

The email was sent to interested parties in the investigation, including victims, witnesses, lawyers and journalists.

Of the 56 recipients, all but one were deliverable. The police identified their mistake two days later and recalled the email, with three emails successfully recalled. That meant the 56 names and addresses were visible to up to 52 recipients.

“This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse,” said ICO head of enforcement Steve Eckersley.

“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”

The ICO said mitigating factors included that the force apologised to the individuals, that some of the recipients in the email already knew one another, and that the force was improving its technical and organisational measures.

In March the ICO investigated Gwent police after it was revealed hundreds of confidential reports from members of the public may have been exposed to criminals over two-year period.

That potential data breach was only reported to the ICO when a media outlet broke news about the issue.