The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 after sending a bulk email that identified possible victims of child sexual abuse.
Vulnerable people were placed at risk owing to the error, after the email was sent to 90 inquiry participants on February 27 last year, the Information Commissioner’s Office (ICO) said.
Some 52 of the email addresses contained people’s full names, leaving at least one complainant “very distressed”, the ICO said.
Director of investigations, Steve Eckersley, said: “People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.
“IICSA should and could have done more to ensure this did not happen.”
Set up in 2014, the inquiry is looking at the extent to which institutions failed to protect children from sexual abuse.
The mistaken disclosure of the sensitive personal information is a breach of the Data Protection Act 1998, the ICO said, since the breach preceded the 2018 act.
The IICSA failed to use an email account that could send a separate email to each participant and failed to train staff on the importance of checking that email addresses were entered into the “bcc” section, according to the ICO.
It also hired an IT company to manage the mailing list, and breached its own privacy notice by sharing participants’ email addresses with the company without their consent, the ICO investigation found.
The Prime Minister’s official spokesman said Theresa May continued to have confidence in the inquiry.
“The inquiry has apologised for this incident and referred itself to the ICO immediately, and has introduced a number of measures to improve its data management,” said the spokesman.
“The Home Office has received assurances that the IICSA is taking steps to continually strengthen its management of data.
“This inquiry is important. It’s making good progress in helping to get to the truth, expose what has gone wrong and to learn lessons for the future.”