UK: Child sexual abuse inquiry fined £200,000 for data protection breach

The inquiry, set up in 2014 to investigate the extent to which institutions failed to protect children from sexual abuse, did not keep confidential and sensitive personal information secure.

The incident in question relates to an email that was sent to 90 inquiry participants in February 2017, where participants could see each others’ email addresses - identifying them as possible victims of child sexual abuse.

The case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the 2018 Act which has replaced it, because of the date of the breach.

The inquiry and the ICO received 22 complaints about the security breach, and one complainant told the ICO he was “very distressed” by the security breach.

Steve Eckersley, director of investigations for the ICO, said: “This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.

“People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”

IICSA has since apologised to the affected individuals.