The Information Commissioner’s Office (ICO) recently imposed a £80,000 on Gloucestershire Police for a (pre-GDPR) data breach which involved sending a bulk email identifying victims of historic child abuse.
In December 2016, an officer sent an update to 56 recipients by entering their email addresses in the ‘To’ field rather than utilising the ‘BCC’, or ‘blind carbon copy’, function.
Each recipient could therefore have had sight of the details of every recipient of the email. It is understood that recipients included victims, witnesses, lawyers and journalists and that the email also made reference to schools and other organisations being investigated.
Steve Eckersley, ICO Head of Enforcement, said:
‘This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity.
The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.’
Something to bear in mind before you next click ‘Send’?