Gloucester Police Fined For Disclosing Victim Details In Bulk Email

The Information Commissioner’s Office (ICO) has fined Gloucester Police £80,000 after it inadvertently identified child abuse victims in a bulk email.

The case is one of the few that are still being dealt with under the provisions of the 1998 Data Protection Act, rather than the General Data Protection Regulation (GDPR), which came into force last month, and which allows for much higher fines than older legislation.

That’s because of the date of the incident, which took place on 19 December 2016.

At that time an officer involved in an investigation of alleged historical abuse sent an update on the case to 56 recipients by email, but entered the addresses into the ‘To’ field and did not activate the ‘BCC’ function that would have hidden the details from other recipients.

Details disclosed

That meant each recipient could see the full names and email addresses of all the others. The email made reference to schools and other organisations being investigated.

The ICO said that many of the victims were also legally entitled to lifelong anonymity. It noted that email addresses can be used in searches of social media to draw up large amounts of personal information on individuals.

The email was sent to interested parties in the investigation, including victims, witnesses, lawyers and journalists.

Of the 56 recipients, all but one were deliverable. The police identified their mistake two days later and recalled the email, with three emails successfully recalled. That meant the 56 names and addresses were visible to up to 52 recipients.

“This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse,” said ICO head of enforcement Steve Eckersley.

“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”

The ICO said mitigating factors included that the force apologised to the individuals, that some of the recipients in the email already knew one another, and that the force was improving its technical and organisational measures.

In March the ICO investigated Gwent police after it was revealed hundreds of confidential reports from members of the public may have been exposed to criminals over two-year period.

That potential data breach was only reported to the ICO when a media outlet broke news about the issue.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

14 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

15 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

17 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

1 day ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

1 day ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

2 days ago