The 2016 Gloucestershire police data breach has led to a fine imposed by the Information Commissioner’s Office (ICO) in the sum of £80,000.00.
The incident that took place on 19 December 2016 involved a Gloucestershire police offer sending an update to 56 individuals in respect of allegations of abuse. The officer inadvertently placed the email addresses of the recipients into the “To” field instead of the “BCC” field, resulting in the identities of the recipients being revealed to one another.
The email itself is thought to have revealed information about schools and other organisations being investigated as part of the allegations.
Gloucestershire police data breach a serious incident
The Gloucestershire police data breach was a serious incident. The email revealed the identities of the recipients to one another, and the recipients included alleged victims, lawyers and journalists. With some of the victims having been granted lifelong anonymity, their identities have been revealed as a result of this breach that was an entirely preventable incident.
Had the BCC (Blind Carbon Copy) function been used, the identities of the 56 recipients would have been hidden.
Impact of the Gloucestershire police data breach
Given the lifelong anonymity of the victims involved, and the information about organisations being investigated, the impact of the Gloucestershire police data breach is huge.
It’s understood that there were 56 recipients of the email, with all but one of the emails successfully delivered, and just three successfully recalled by the police when they realised the error they had made. This means that at least 52 of the recipients received the breach email.
Steve Eckersley at the ICO had this to say:
“This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity.
The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”
Not an isolated incident
The Gloucestershire police data breach was, in reality, not an isolated incident. This is not the first time that someone has accidentally sent a breach email by neglecting to use the BCC function.
The 56 Dean Street data breach we’re dealing with is a prominent example of this.
Given that the breach took place at the end of 2016, Gloucestershire police have avoided a GDPR fine, but they have received a significant fine of £80,000.00 as a result of the breach.
Victims of police data breaches can be entitled to claim for data breach compensation.