The Independent Inquiry into Child Sex Abuse has been fined after a bulk email was sent that could have identified victims of abuse.
The email sent to 90 inquiry participants on 27 February 2017 placed vulnerable people at risk, the Information Commissioner’s Office (ICO) found.
Some of the 52 emails on the list contained people’s full names, leaving at least one complainant “very distressed”.
The inquiry was fined £200,000.
ICO director of investigations, Steve Eckersley, said: “People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.
“IICSA should and could have done more to ensure this did not happen.”
The inquiry failed to use a programme that could send a different email to each participant and failed to train its staff to check the ‘bcc’ field was used during a mass email.
The inquiry hired an IT company to manage the mailing list, and breached its own privacy notice by sharing the participants’ emails with the company without their consent.
The inquiry was set up in 2014 and is looking at the extent to which institutions failed to protect children from sexual abuse.
It breached the 1998 Data Protection Act, because the emails were sent before the 2018 Act came into effect.