The ICO has issued a fine for the IICSA data breach that took place last year. The fine amounts to £200,000.00 given the sensitive nature of the data involved in the breach.
The ICO (Information Commissioner’s Office) said last month that, “This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.”
The IICSA data breach was another scenario of a simple but very avoidable data breach that has ultimately led to incredibly sensitive and personal information being exposed.
What happened in the IICSA data breach?
The Independent Inquiry into Child Sexual Abuse (also known as the IICSA) was set up to investigate institutional failures in protecting children from abuse. On 27 February 2017, an employee sent an email to 90 recipients involved in the Inquiry, which included victims, lawyers and journalists. This email used the ‘Blind Carbon Copy’ function (“BCC”) to mask recipient information, but upon spotting an error in the email, a second email was sent, but the BCC function was not used, resulting in the IICSA data breach.
Unfortunately, the identities of recipients were then disclosed to one another in a breach that’s very similar to the 56 Dean Street Clinic breach we’re running an action for.
Data disclosed in the IICSA data breach
The data disclosed in the IICSA data breach was the identities of recipients participating in the inquiry. It’s understood that 52 of the email addresses contained the full names of the participants, or had the label showing their full name, and some of those recipients were victims themselves.
Victims have the right to remain confidential, but their identities have been disclosed in an entirely avoidable incident.
Damning revelations identified by the ICO investigating the IICSA data breach
The ICO investigating into the IICSA data breach uncovered some alarming failures. It’s understood that staff did not have any – or any adequate – training or guidance on the importance of ensuring an email of this nature would be sent without incident. It was also found that the Inquiry breached their own privacy notice by sharing the participants’ email addresses with an IT company without consent.
The ICO said that this case was dealt with, “under the provisions and maximum penalties of the Data Protection Act 1998.”
Compensation for victims of the IICSA data breach
Since the news of the breach came out we have been advising victims of the IICSA data breach.
Anyone who would like to speak to us confidentially about their rights for justice – on a no obligation basis – please contact the team.