back to article Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

The UK's data watchdog today issued the Independent Inquiry into Child Sexual Abuse (IICSA) a £200,000 penalty after it sent a bulk email to participants that identified possible victims of historical crimes. The Information Commissioner's Office (ICO) said IICSA – set up in 2014 to probe the degree to which institutions in …

  1. Anonymous Coward
    Anonymous Coward

    The Inquiry said it takes data protection "very seriously"

    We can already see that it doesn't.

    1. BoldMan

      Re: The Inquiry said it takes data protection "very seriously"

      ... not seriously enough!

    2. ssieth

      Re: The Inquiry said it takes data protection "very seriously"

      That was my first thought as well. It's amazing how often we see that phrase in situations where it is abundantly obvious that it is false.

    3. Halfmad

      Re: The Inquiry said it takes data protection "very seriously"

      The fine should automatically double if they use this statement at any point in literature made before the breach or in press releases afterwards..

    4. CrazyOldCatMan Silver badge

      Re: The Inquiry said it takes data protection "very seriously"

      .. now anyway. Cos we don't want to get fined again.

      The people involved who got their details leaked? Nah - we don't care about them..

  2. Anonymous Coward
    Anonymous Coward

    Bureaucracy fines bureaucracy, nothing changes

    It would be nice to think that somebody who was genuinely accountable had been held personally to account. But the wiffle-waffle response from IICSA drones on in the usual insincere prose, and it seems that those who were paid to ensure this sort of thing did not happen will avoid the consequence of their own failure.

    1. LeahroyNake

      Re: Bureaucracy fines bureaucracy, nothing changes

      The problem is... If you, me or anyone as an individual made this mistake we would be personally liable and at a minimum be made to pay a fine, at worst jail time and on some watch list.

      As an example you could be offering support to people in a similar situation (just because you are nice or experienced a similar crime) that may involve a mailing list.

      Hiding behind 'company is big enough to get away with a fine' takes the biscuit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bureaucracy fines bureaucracy, nothing changes

        The problem is... If you, me or anyone as an individual made this mistake we would be personally liable and at a minimum be made to pay a fine, at worst jail time and on some watch list.

        People are fined for breaches at work all the time by the ICO particularly in Health, you will also find some NHS trusts have had staff charged and taken to court for breaching DPA Section 55.

        It can and does happen, but the press rarely report on it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bureaucracy fines bureaucracy, nothing changes

      > It would be nice to think that somebody who was genuinely accountable had been held personally to account

      It won't help because these kinds of mistake are too easy to make. Government departments (and companies, really) should be required to deploy email clients/servers/relays that refuse to send if there are more than 5 external addresses in either the To or cc fields.

      Clearly there are people who need to send to more than 5 legitimately, but the software can have white lists for sending out (just as there are blacklists/junk lists for spam) so that a positive action is required to circumvent the idiot check.

      Microsoft could, dare I say it, voluntarily provide such a facility as a corporate social responsibility thing.

      1. katrinab Silver badge

        Re: Bureaucracy fines bureaucracy, nothing changes

        "Microsoft could, dare I say it, voluntarily provide such a facility as a corporate social responsibility thing."

        They already do. The default limit is set at 5,000 recipients per message, but you can change this.

      2. DavCrav

        Re: Bureaucracy fines bureaucracy, nothing changes

        "Government departments (and companies, really) should be required to deploy email clients/servers/relays that refuse to send if there are more than 5 external addresses in either the To or cc fields."

        Or just if more than 5 people are in To/cc and it isn't a reply all to a message, produce a dialogue box that says "Are you sure you meant to include this many people?" Since it wouldn't be a common dialogue box that appears, users would be less likely to click past it.

      3. Peter2 Silver badge

        Re: Bureaucracy fines bureaucracy, nothing changes

        Microsoft could, dare I say it, voluntarily provide such a facility as a corporate social responsibility thing.

        Exchange management console -> Organisation settings -> Transport settings -> Maximum number of recipients.

        Stating the obvious however, the orginisation has to have the social responsibility to change the settings from the defaults.

  3. adam payne

    According to the ICO, the inquiry: failed to use an account that could send separate emails to each person involved in the cases; didn't give guidance or training on BCC emails;

    Didn't give training on BCC emails? seriously? your staff need training on BCC?

    hired an external IT firm to manage the mailing list and relied on advice from the third party that it would prevent email recipients from replying to the whole list; and shared those email addresses with the IT company in breach of its own privacy notice

    Why did they need to hire an external IT company to manage a mailing list?

    So you then breach again by sending the email addresses to the IT company, the mind boggles.

    1. Aristotles slow and dimwitted horse

      Re : Training

      "Didn't give training on BCC emails? seriously? your staff need training on BCC?"

      I absolutely agree with your sentiment and your previous post. I guess the scenario though was that this task was foistered on some low grade, low paid admin clerk who wouldn't have even considered the ramifications of their actions, let alone felt they were in a position to challenge it.

      So yes, training would seem appropriate - or at least review and sign off from someone in a position of knowledge or authority prior to sending considering the sensitivities of the subject matter.

    2. Oh Homer
      Mushroom

      It's 2018 and ...

      People still don't know how to use email correctly.

      Everyone goes into the "To:" header. Everything is in bloody HTML. Replies are upside down, not selectively edited for brevity and context, and infested with a mountain of company policy footers, which multiply like rabbits with every reply.

      Email needs to die. Not because there's anything wrong with it (well, there is, but that's not the reason), but because people are too bloody stupid to use it.

      1. CrazyOldCatMan Silver badge

        Re: It's 2018 and ...

        but because people are too bloody stupid to use it.

        On that basis, we need to ban cars, alcohol, ice cream and pushbikes..

        There is one infinite thing in the universe - the supply of human stupidity. Anyone that's done helldesk time will have already realised this..

    3. Doctor Syntax Silver badge

      "Didn't give training on BCC emails? seriously? your staff need training on BCC?"

      Clearly they did need training.

    4. FlossyThePig

      Training

      OK, how many here have had training on any part of the MS Office suite.

      How many mouse clicks does it take to add BCC to an email?

      In my experience most companies seem to expect staff to know how to use the main MS Office tools so don't provide training. It doesn't surprise me when someone (at any level) makes a blunder which can have serious repercussions.

  4. Fizzle
    FAIL

    No, this is the wrong attitude

    "risk of a further breach is minimised"

    Minimised?

    WRONG!

    Should be "so there cannot be the remotest possibility of any breaches from now on".

  5. GnuTzu

    Tools, E.G. Office

    My organization already uses a tool that warn us when we're addressing those outside our organization, but I think the tools could even be better--as I've said on similar posts--like suggesting BCC for large number of addresses--instead of hiding the BCC field by default.

  6. Teiwaz

    This another round of pass the parcel fines.

    The inquiry runs on funding, does it not. It's not a for profit or a rogue independent charity making a nice little earner for those managing it and only good works as a by product.

    Here's your speeding ticket, pay now, you'll get most the money back once it's been round the tumbledryer for a while. Bollocks

    Fire everyone responsible, start again with all new staff, repeat as necessary if/when they blunder.

    I'd also recommend criminal proceedings, after all 'this was a crime against the most vulnerable in society' or somesuch...

  7. Anonymous Coward
    Childcatcher

    The Independent non-Inquiry into Child Sexual Abuse

    Just how long is this farcical 'inquiry' going to continue. It's patently obvious that to protect the guilty, it was set up to fail. The next best thing would be to have false victims come forward and then discredit them. Or get Philip Schofield to go on television and wave a list of alleged abusers in full view of the camera, only to have it totally discredited later on. Or get some lone nutter to make a complaint and then charge him with pedophile offenses. Or charge the investigating officers with possessing child porn or in one case charged with damaging a mobile phone, the property of her Majesties constabulary.

    IICSA resignations: Baroness Butler-Sloss, Fiona Woolf, Dame Lowell Goddard, Ben Emmerson

    1. heyrick Silver badge

      Re: The Independent non-Inquiry into Child Sexual Abuse

      "It's patently obvious that to protect the guilty, it was set up to fail."

      Probably because if the true scale of this was actually known, any responsible parent would lock their child in a panic room and never let an adult (or anybody with a two digit age) near them.

      1. Anonymous Coward
        Anonymous Coward

        Re: The Independent non-Inquiry into Child Sexual Abuse

        Probably because if the true scale of this was actually known

        The true scale, of course, is that; far from being the inhuman demons the press and public prefer to see them, such people are as human as they, and almost anyone is capable of some of these acts.

        Adults are designed to find the young appealing/children are designed to be appealing, and it doesn't take much for that dependency to go very or even slightly (these days) wrong.

        It's the 'why me' that's often the worst bit, affecting victims years after, and which doesn't help readjustment in the mind of the perpetrator.

        1. Chris G

          Re: The Independent non-Inquiry into Child Sexual Abuse

          @AC

          I see why you are posting as AC; "Adults are designed to find the young appealing/children are designed to be appealing, and it doesn't take much for that dependency to go very or even slightly (these days) wrong."

          Adults are designed to feel 'protective' towards the the young not exploitative, there is a big difference between caring for and protecting the young as opposed to exploiting them and/or abusing them sexually or otherwise.

          Being 'all too human does not and cannot be an excuse or reason, only the worst and most mentally lacking could possibly say they didn't know they were doing wrong and even they should be removed from society.

          I really don't think almost anyone is capable of these acts, all I can say is, having known one or two victims of abuse, it's a good thing you haven't said any of this to my face.

          1. Anonymous Coward
            Anonymous Coward

            Re: The Independent non-Inquiry into Child Sexual Abuse

            Adults are designed to feel 'protective' towards the the young not exploitative, there is a big difference between caring for and protecting the young as opposed to exploiting them and/or abusing them sexually or otherwise.

            Different AC here. But while Adults not are designed to find the young appealing, they are also not designed to feel 'protective' towards the the young.

            it is just "human" find things that is related to them, attractive, cute, and/or pretty appealing. Children is just one of the things.

            Only when of those "human" are selfless that they would feeling 'protective' of children. That's why always beware of adults not like that and be proud of those who are.

        2. heyrick Silver badge

          Re: The Independent non-Inquiry into Child Sexual Abuse

          "Adults are designed to find the young appealing/children are designed to be appealing,"

          Appealing?

          I think little girls are cute (not appealing, cute), especially the ones with big eyes. But there's a world (maybe a universe) of difference between "awwwww!" and "sex".

          "and it doesn't take much for that dependency to go very or even slightly (these days) wrong."

          I dunno. I'd have thought the idea of having sex with a person who hasn't reached the designated age of maturity (and in far too many cases, hasn't even reached sexual maturity) might have possibly been a clue?

          "such people are as human as they, and almost anyone is capable of some of these acts."

          Not an excuse. The asshole piece of shit that blew himself up after a pop concert in Manchester was a human just like us. Does that mean it's somehow acceptable or even understandable? No. It's an abhorration. Like burning persons of a certain faith about eighty years ago, burning "witches" two and a half centuries before that. Child sex abuse, mass murder... These are not excusable acts that ordinary people do. So, no, I do not believe that "almost anyone is capable".

        3. katrinab Silver badge

          Re: The Independent non-Inquiry into Child Sexual Abuse

          “Adults are designed to find the young appealing/children are designed to be appealing,”

          Not in a sexual way though, and for most pædophiles, it is not actually about finding them attractive, it is about feeling important and powerful.

      2. Kernel

        Re: The Independent non-Inquiry into Child Sexual Abuse

        "Probably because if the true scale of this was actually known, any responsible parent would lock their child in a panic room and never let an adult (or anybody with a two digit age) near them."

        Unless the UK is vastly different to the rest of the world, the most common child abuser seems to commonly be a parent, other relative or family friend/known to the family - if only it were as simple as the much promoted "stranger danger".

      3. Kernel

        Re: The Independent non-Inquiry into Child Sexual Abuse

        "Probably because if the true scale of this was actually known, any responsible parent would lock their child in a panic room and never let an adult (or anybody with a two digit age) near them."

        Unless the UK is vastly different to the rest of the world, the most common child abuser seems to be a parent, other relative, family friend/known to the family - if only it were as simple as the much promoted "stranger danger", with all the simplicity of identifying potential risks that concept provides.

  8. Anonymous Coward
    Anonymous Coward

    A modest proposal on BCC

    I propose that the To, CC and BCC lines be renamed or removed. Users are too easily confused.

    We don't need CC any more, multiple users in the To line works fine.

    So replace To with PublicRecipients and BCC with To. Now people will default to using the To line as usual and will only use PublicRecipients when they have a good reason. The name is deliberately ugly so mouth breathers won't want to use it ever.

  9. Patti

    Re: The Independent non-Inquiry into Child Sexual Abuse

    Each and every person who's identity has been exposed in this way, should now, not only seek compensation fron their abuser, or, institution,also collectivly sue the IICSA for this careless unforgivable breach of their privacy, Talk is cheap!! I am tired of those words we are sorry or, I am sorry the insincerity of it rankles.Punch where it hurts in there bank balance.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like