A police force has been fined and heavily criticised for sending out a bulk email that identified victims of historical child abuse.
The Information Commissioner’s Office (ICO) said the error by Gloucestershire police was likely to have caused “substantial distress” to alleged abuse victims, some of whom were legally entitled to lifelong anonymity.
It also raised concerns that the alleged victims’ details could have fallen into the hands of “hostile” parties, which could have caused further distress.
At the time of the breach the force was investigating allegations of child abuse involving multiple victims.
On 19 December 2016 a police officer sent an update on the case to 56 recipients by email, but entered their addresses in the “To” field and did not use the “bcc” (blind carbon copy) function, which would have hidden identities.
Each recipient of the e-mail – which potentially included lawyers and journalists as well as victims and witnesses – could see both e-mail addresses and full names of the others. The email also made reference to schools and other organisations being investigated in relation to the abuse allegations.
The force identified the breach two days later, sent an apology and asked for recipients to delete the original email.
But the ICO said the mistake was so serious that the force should be fined £80,000. The case was dealt with under the Data Protection Act 1998, not the act that replaced it in 2018, due to the date the breach occurred. The officer involved, who has not been named, was referred by the force to the professional standards department.
ICO head of enforcement, Steve Eckersley, said: “This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity.
“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”
At the time of the breach, the “bcc” field was not a function automatically selected on the email software of Gloucestershire police. Staff members had to adjust their own settings to be able to use this function.
The ICO found that the force failed to provide staff with any – or any adequate – guidance or training on bulk email communication.
Its report added: “If this information has been misused by those who had access to it or was in fact disclosed to hostile third parties then the contravention wold cause further distress.”
It said aggravating factors were that some of the individuals’ right to anonymity for life had been lost and there was no guarantee the information had been recovered in full. Further details of the case were not given by the ICO.
Gloucestershire police said it was considering an appeal and insisted that the email message was not sent to journalists and lawyers as the ICO said.
A spokesperson said: “The constabulary understands its information security responsibilities and measures have been put in place to minimise the chances of this happening again.
“Notwithstanding this we are disappointed by the ICO’s decision. The officer in the case had previously carried out their duties to keep all parties informed but on this occasion made a mistake by copying, rather than blind copying, the email addresses of all recipients … Given this, we are considering an appeal.”