Europe & UK

May 29, 2018

£80,000 fine imposed on Gloucestershire Police over "serious breach" of data protection laws


In a case termed as a "serious breach" of data protection laws, the Information Commissioner’s Office (ICO) imposed a whopping £80,000 fine on Gloucestershire Police after the Police sent a bulk email in error which revealed the identities of child abuse victims to strangers.

Two years ago, an officer, involved in an investigation into non-recent allegations, sent an update on an ongoing case of historic child abuse to 56 recipients (including victims, witnesses, journalists, and lawyers), but forgot to BCC them, thereby exposing their names to the other recipients. They inadvertently made all email addresses viewable by all recipients.

According to the investigation, the BCC (Blind Carbon Copy) function, which can be used to send bulk emails and keep the addresses private, was not automatically selectable on the system used by the officer. Instead they used a function that displays all other recipients' email addresses.

Disappointed by the decision, Gloucestershire Police said it was considering an appeal.

According to the ICO, of the 56 emails sent, one was not deliverable and three were successfully recalled, after the police identified the privacy snafu two days later. That means 56 names and email addresses were visible to up to 52 recipients.

When the police realized the error, it reported the error to the ICO and sent emails of apology to all recipients.

In this regard, Steve Eckersley, Head of Enforcement at ICO, said, "This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity... The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law, especially when such sensitive and confidential information was involved."

As the offence was committed in December 2016— that is, before the new 2018 Act came into force—the case was dealt with under the Data Protection Act, 1998 rather than the 2018 Act, which effectively incorporates the GDPR into UK law.

In another recent case of privacy leak, TSB Bank, a retail and commercial bank in the United Kingdom, sent letters to some customers following a major IT incident containing sensitive information on other users. As soon as the bank realized the error, it apologized for the privacy leak, which could fall foul of the GDPR. Some letters sent out to explain the recent IT incident reportedly contained a second page with a reference number, name, and address of a different customer.

Related Post

latest News

  • Appointments of 4 New ASGs approved by the Cabinet

    Senior advocates Aman Lekhi, Vikramjit Banerjee, Sandeep Sethi and Maninder Acharya have been appointed as Additional Solicitor Generals.

    Read More
  • Trump To Sign Executive Order Directing Federal Agencies To Recommend Changes To Temporary Visa Program

    On April 18, US President Donald Trump will sign an executive order directing federal agencies to recommend changes to a temporary visa program used t...

    Read More
  • Stanford University professor files defamation suit against NAS

    Mark Z. Jacobson—a Stanford University professor who authored a 2015 paper in the National Academy of Sciences (NAS) that concluded wind, solar, and...

    Read More