Gloucestershire Police has been fined £80,000 for revealing identities of child abuse victims in a bulk email.
An officer involved in an investigation into non-recent allegations sent an update on the case to 56 people, including victims, witnesses, journalists and lawyers.
They inadvertently made all the email addresses viewable by all recipients.
The Information Commissioner’s Office (ICO) said it was a “serious breach” of data protection laws.
Gloucestershire Police said it was disappointed by the decision and is considering an appeal.
An investigation found the “bcc” (blind carbon copy) function, which can be used to send bulk emails and keep the addresses private, was not automatically selectable on the system used by the officer.
Instead they used a function that displays all other recipients’ email addresses.
The force realised the mistake two days after it happened in December 2016, and successfully recalled three emails. One email was undeliverable.
This meant the 56 names were visible by to up to 52 people.
Some of the abuse victims had been granted a right to lifelong anonymity.
When the force realised the error it reported it to the ICO and sent emails of apology to all the recipients.
Steve Eckersley from the ICO said: “This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity.
“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”
The case was dealt with under the old Data Protection Act, because the offence was committed before the new 2018 Act came into effect.
Gloucestershire Police said although the mistake was spotted immediately, measures have since been put in place to prevent it happening again.