Ninety participants to Inquiry were affected by data breach identifying possible victims

A leading data protection lawyer has said that the Independent Inquiry into Child Sexual Abuse (IICSA) was likely to face significant claims for compensation after it was fined £200,000 by the Information Commissioner’s Office (ICO) for a breach of the Data Protection Act for failing to keep confidential and sensitive personal information secure after sending a bulk email that identified possible victims of non-recent child sexual abuse.

The IICSA was set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse. On 27 February 2017, an IICSA staff member sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a forthcoming public hearing. After noticing an error in the email, a correction was sent but the email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake. This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.

Fifty-two of the email addresses contained the full names of the participants or had a full name label attached, while twenty three of the email addresses included a partial name. Twenty-two complaints were received about the breach and one person told the ICO he was "very distressed" by it. The IICSA has since apologised to those affected.

The ICO report found that the contravention would have caused distress to those affected through knowing that their names had been disclosed to unauthorised individuals who could infer that they were victims and survivors of child sexual abuse and noted that an email address could then also be searched via social networks and search engines. The report also found that those affected would have been further distressed by justifiable concerns that their data had been further disseminated even if those concerns do not actually materialise. The report also emphasised that those affected were suffering from the lifelong consequences of child sexual abuse and therefore extremely vulnerable.

The ICO report concluded that Inquiry had failed to take the appropriate technical measures to prevent the security breach by failing to use an email account that could send a separate email to each participant and failing to provide Inquiry staff with adequate training.

However Sean Humber, a data breach specialist at law firm Leigh Day, who has successfully acted for data breach victims in similar cases, said that those affected were likely to have strong claims for compensation.

He said: "As the ICO report makes clear, the Inquiry really should have known that it was wholly inappropriate to send bulk emails to participants using the ‘bcc’ field. Sadly, this is just the latest high profile example of what happens when things then go wrong.

“This data breach is particularly serious given the extreme sensitivity of the information disclosed and the vulnerability of those affected, who are likely to have significant claims for compensation for the distress caused by the breach as well as any other losses they may have suffered."