Abuse Inquiry shared our personal emails, but taking funds away from our inquiry is punishing us twice:
Core participant hits out as Child Abuse Inquiry fined £200K for major data breach
By Nigel O’Mara
Nigel O’Mara is a veteran campaigner for child abuse survivors. He has waived his right to anonymity as a core participant in the Independent Inquiry into Child Sexual Abuse.
It has been announced today that the Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 after sending a mass email that leaked the identities of child sex abuse survivors.
One of the names on the serious data breach last year, in which the inquiry revealed the names and emails of almost 90 people, identifying possible abuse survivors who had asked to remain anonymous was mine.
But before I go into the effect it had on me and other people who had agreed to take part in the government’s independent inquiry – one that relies on people trusting its commitment to safeguard the confidentiality of the people it represents – I would like to explain why the Information Commissioner’s Office (ICO) needs to reconsider today’s decision and not punish us child abuse survivors even further for a breach of our data that was not our fault.
The IICSA was launched in 2014 by the then Home Secretary Theresa May as a much needed national inquiry into failures to protect children from sexual abuse in institutions all over the country. 13 investigations have been launched, with institutions such as the church, Home Office-run residential schools, and councils such as Nottinghamshire and Lambeth coming under its scope.
It has relied on thousands of survivors of abuse coming forward and giving incredibly hard evidence so that lessons can be learned to protect future generations.
The purpose of the IICSA is to give a voice to the victims and survivors of child abuse.
Today’s decision by the information commissioner to fine the IICSA over the breach of victims and survivors data is a double blow for me and everyone whose data has been breached.
First we have had to deal with the worry that our personal emails were sent out. And the IICSA should be held responsible and learn from this serious breach.
But now the inquiry – the very organisation charged with bringing us all justice and investigation after decades of neglect has been stripped of valuable resources.
IICSA’s resources have always been subject of discussion at our regular meetings with the inquiry solicitors and Survivor led forums have not been funded as was proposed at the beginning of the inquiry process. Instead the inquiry led forums, which were funded, seem to have all but disappeared in the past year. Obviously in the current economic climate all child sexual abuse support organisations are struggling to match resource with demand.
And now £200,000 has been taken away from our inquiry and given to the treasury.
This all started in 2017 when an email was sent out to a group of survivors and victims of sexual abuse.
An inquiry staff member emailed 90 people using the “to” field instead of the “bcc” field – which meant we could see each others’ personal emails.
When I noticed this breach, my first thoughts were ‘here we go again’: the people we are supposed to trust with our innermost emotions regarding the abuse we suffered are failing to even keep our basic details safe. It mirrored some of the appalling service some of us have received from other agencies which were supposedly there to protect us.
On receiving the email it was quickly reported back to the inquiry that the breach had taken place and that survivors’ personal emails had been accidently added to the send list rather than being blind copied.
After the breach there were some who replied to all and started a string of emails which distressed others in the emails as they did not want to be included in this form of discourse.
The IICSA responded very quickly to the breach and asked those involved to stop replying to all and very soon there were no more threads added to the emails.
IICSA then reported themselves to the ICO as was appropriate and issued a general apology for the breach.
In my opinion they could and should have gone further and issued personalised apologies for something so sensitive.
Roll forward to 2018 and today’s announcement that a £200,000 fine has been issued by the ICO in a ruling against IICSA.
So the recipient of the monies fined is the Treasury in effect the very same Treasury which pays for the Inquiry out of the Home Office budget.
The net effect of this is that an inquiry, which as Victims and Survivors we are told is resource poor, has to pay a fine and therefore cannot deliver the same quality of work.
We are penalised for our own Data being breached by the removal of funds from the very inquiry which is there to give us our voice.
There can be no measure of justice in this decision.
In every way it penalises the people who are the victims of the breach of Data. It makes no form of recompense to those whose Data was breached and also adversely affects the important and valuable work that this inquiry is doing.
Surely there is another way. I would suggest that maybe each of those affected by the breach could be given a token payment, say £100 to donate to a support organisation within this field of their choice.
I would also request that the inquiry made a more personalised apology for the breach as its earlier apology was very impersonal and did not recognise the individual in their response. That would have cost a great deal less and had a better effect.
In my opinion, the ICO should bear in mind the effects of their rulings on the people who have been victims of the abuse and not just be a way for the government to move around money.
Following the Information Commissioner’s announcement today that they have fined the Inquiry for the data breach in February 2017, the IICSA issued the following statement:
“The Inquiry takes its data protection obligations very seriously and we have apologised to those affected by the data breach.
“After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimised.”
