Email mistakes by U.K. inquiry lead to $345,000 privacy fine

Technology can do wonders to strengthen the security and privacy activities of an organization, but it can only go so far. Sometimes employees are clumsy when handling personal information and the result can be painful.

The latest example is the roughly $345,000 fine levied Wednesday by the U.K. information commissioner against the country’s Independent Inquiry into Child Sexual Abuse for an email mistake.

On Feb. 27, 2017, an inquiry staff member sent a blind carbon copy (bcc) email to 90 inquiry participants — some of whom might have been victims of abuse being investigated — telling them about a public hearing. A “bcc” wouldn’t have allowed recipients to see the names of other people. So far so good.

However, after noticing an error in the email a correction was sent — but this time email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field. This allowed all of the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.

Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.

The inquiry was alerted to the breach by a recipient of the email who entered two further email addresses into the ‘to’ field before clicking on ‘Reply All’.

Things got worse.

Now knowing there was a problem the inquiry told its email service provider to create a mailing list for participants. It relied on advice from the provider that it would prevent individuals from replying to the entire list. However, five months after the incident a recipient clicked on ‘Reply All’ in response to an email from the inquiry, via the mailing list, and revealed their email to the entire list.

“This incident placed vulnerable people at risk, which is concerning,” wrote the privacy commission investigator. The inquiry “should and could have done more to ensure this did not happen. People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”

The inquiry has apologized to the affected people.

The investigation found:

  • The inquiry failed to use an email account that could send a separate email to each participant;
  • it failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field;
  • The inquiry breached its own privacy policy by sharing participants’ emails addresses with the IT company without their consent.

This mistake isn’t uncommon, said Halifax privacy lawyer David Fraser of the McInnes Cooper law firm. ”It’s the sort of thing where people are too casual when dealing with email. When you’re dealing with sensitive information you really need to make sure you’re exercising an appropriate level of care and attention. And if you’re an organization that handles sensitive information you probably need to put additional measures in place in order to make sure these sorts of things don’t happen.”

One solution is an email filter that won’t send a message with more than a certain number of recipients. Or a system that will only send a message to one recipient at a time on a specified list of addressees.

”It’s increasingly common to see customized [email] solutions that are intended to offer protections for a number of reasons,” Fraser said, “and obviously privacy is a significant and compelling interest.”

Regulators here don’t have the power to levy such a hefty fine issued by the U.K., he added, but he hopes “it will re-calibrate people’s understanding of what is at stake …. It stands as a lesson that ‘We need to be extra-careful with this sort of stuff.'”

Fraser is involved in a privacy suit against Health Canada on a somewhat similar incident, although it involved physical mail. in 2013 40,000 letters were mailed to people interested in upcoming changes to the federal Marihuana Medical Access Program. Unfortunately the envelopes’ see-through window with the recipients’ addresss also showed the name of the program, so anyone seeing the envelope might have thought the recipient was using medical marihuana.

The federal privacy commissioner concluded this was a violation of PIPEDA.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now