From the U.K. Information Commissioner’s Office:
- Warning comes after the ICO reprimands seven organisations in the past 14 months for data breaches affecting victims of domestic abuse.
- Most cases related to organisations inappropriately disclosing the victim’s home address to alleged perpetrators.
- Commissioner urges organisations to take responsibility for training their staff and putting appropriate systems in place to avoid such incidents.
- The action is supported by organisations including Women’s Aid and the Domestic Abuse Commissioner for England and Wales
The UK Information Commissioner has today called on organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.
Since June 2022, the Information Commissioner’s Office (ICO) has issued reprimands to seven organisations for data breaches affecting victims of domestic abuse.
They include:
- Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation.
- Revealing identities of women seeking information about their partners to those partners.
- Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.
- Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.
Organisations involved include a law firm, a housing association, an NHS trust, a government department, local councils and a police service. Root causes for the breaches vary, but common themes are a lack of staff training and failing to have robust procedures in place to handle personal information safely.
“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.
“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.
“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm.
“Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”
– John Edwards, UK Information Commissioner
The ICO revised its approach to public sector enforcement last year. It aims to reduce the impact of fines on the public by working more closely with the public sector, encouraging compliance with data protection law to prevent harms before they happen. The reprimands provide clear instructions to these organisations on how to improve their data protection practices, and other organisations can apply the lessons to their own activities so similar incidents are less likely to happen.
Advice and guidance to help organisations handle people’s information appropriately
Have processes in place to support those who need it
If an organisation works with people experiencing domestic abuse, it should make sure relevant staff know how to handle their data with extra care and is able to accommodate any requests for privacy (for example, requesting their data is not shared), including when people have specific accessibility requirements such as needing an interpreter.
This could include specific training, placing notes on files, ensuring staff include information about data-handling when taking part in handovers, or regularly reminding all staff of the processes. It could also include the provision of accredited interpreters and translation services, so people whose first language is not English or people with hearing and vision impairment have their personal information handled safely and can fully exercise their information rights.
Regularly check contact information
Organisations should take steps to ensure the data held is accurate. Frequently checking with people that the information and instructions held for them are still true could prevent information being disclosed to an old address, email address or contact number.
Avoid inappropriate access
Organisations may hold personal information about someone a staff member knows personally. It must be clear to staff about what records they are allowed to access and consider what technical measures could be implemented, such as passwords and access controls.
Always double check
Many breaches can be prevented by ensuring staff always double check before any personal information is transferred, altered or disclosed. This may mean double checking an address has been redacted, double checking an email address is correct, or double checking that all recipients are authorised to receive the information.
Ensure training is thorough and relevant
While organisations should always have data protection training in place, it is important to make sure any training is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal data safely and securely.
Reprimands issued in the past 14 months:
- Bolton at Home (June 2022): A woman seeking alternative accommodation after alleged domestic abuse contacted Bolton at Home. The organisation left a message on her husband’s phone number, who she was intending to leave, and which contained details of the new address she planned to move to.
- South Wales Police (August 2022): South Wales Police disclosed the identities of women who had applied for information under the Domestic Violence Disclosure Scheme and the Child Sex Offender Disclosure Scheme to the people they were requesting information about, or to their partners. In one case, the partner had previous convictions for violence and sexual assault.
- Jackson Quinn solicitors (August 2022): Jackson Quinn was representing two children in relation to stepparent adoption proceedings at the family court. The firm disclosed two reports containing personal information and the home address of the family to the birth father in error. The birth father is currently serving a prison sentence for three convictions of raping the mother.
- Wakefield Council (September 2022): The ICO reprimanded the council after sending a court bundle, as part of Child Protection Legal Proceedings, which included the home address of the mother and her two children to the children’s father. The mother was described as fearful of the father due to a history of ongoing domestic violence and a break-in to her previous accommodation. As a result of the breach, the mother and her children had to move into emergency alternative accommodation on the same day of the breach.
- Department for Work and Pensions (October 2022): The DWP failed to test a software application that redacted official documents, resulting in the redactions not appearing in official material when printed. This resulted in the inappropriate disclosure of personal information including one person’s address that was revealed to their ex-partner who had a history of domestic violence.
- University Hospitals Dorset NHS Foundation Trust (April 2023): The Trust had a procedure in place that when sending a letter, it would include the full postal address of other recipients of that letter without obtaining their consent to do so. In this case, an address was disclosed to an ex-partner of the person affected, something they particularly wished to be withheld following previous allegations of abuse.
- Nottinghamshire County Council (August 2023): The Council Assessment Service is responsible for preparing Child and Family Assessments, which assess the needs of vulnerable children in situations where there are concerns about their parents or caregivers. A social worker sent copies of an assessment report on two children to the mother and two ex-partners. The report contained sensitive personal information that should have been redacted from the copies sent to the partners.