Gloucestershire Police has been fined £80,000 for failing to blind-copy an email that contained the names and email addresses of victims of child abuse.
The Information Commissioner's Office handed down the penalty after investigating the bulk email error, which took place in December 2016 and exposed the names of 56 people – some of whom are entitled to lifelong anonymity.
An officer investigating historical allegations of abuse against multiple victims sent an email to interested parties to the case. That included victims of childhood abuse, witnesses, lawyers and journalists.
However, the BCC field wasn't automatically selected and the officer instead sent the mail out with the addresses – listed next to full names because they had been saved as contacts in Outlook – in the To field.
The error went unnoticed for two days before the force recalled the mail and informed the ICO, but only managed to do so for three emails. One further mail was considered undeliverable.
That meant 56 names and email addresses were revealed to up to 52 of the other recipients. Moreover, the email referred to schools and other organisations being investigated in relation to the abuse allegations.
The ICO ruled that the breach could have caused substantial distress for the recipients, noting that email addresses are searchable on social media, and that child abuse victims were likely to be extremely vulnerable already.
"This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity," said ICO head of enforcement Steve Eckersley.
"The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved."
The ICO listed as mitigating features the fact that the force apologised to the individuals, that some of the recipients in the email already knew each other, and that the force was taking action to improve its technical and organisational measures. ®
Sponsored: Webcast: Simplify data protection on AWS