Since June 2022 the Information Commissioner's Office (ICO) has issued reprimands to seven organisations for data breaches affecting victims of domestic abuse — and says it is time for data handlers to cease putting members of the public in danger.
A law firm, a housing association, an NHS trust, a government department, local councils and a police service have all been sanctioned by the body in the last 14 months for such breaches.
Bodies committing the errors include Bolton at Home, South Wales Police, Wakefield Council, the Department for Work and Pensions and University Hospitals Dorset NHS Foundation Trust, among others.
“This is a pattern that must stop,” said Information Commissioner John Edwards.
“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations — but the very people that they trusted to help exposed them to further risk,” he said.
The privacy watchdog is now warning organisations they need to take responsibility for training their staff.
They also need to be putting “appropriate systems in place” to avoid any more such incidents.
“The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place,” Edwards added.
“Organisations should be doing everything necessary to protect the personal information in their care.”
‘A lack of staff training’
The cases that have so unsettled the Commissioner include:
- Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case, a family had to be immediately moved to emergency accommodation
- Revealing identities of women seeking information about their partners to those partners
- Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother
- Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.
ICO says the root causes for the breaches vary, but common themes are a lack of staff training and failing to have robust procedures in place to handle personal information safely.
Therefore, thorough training on basic protection steps like double checking records and contact details and restricting access to information should be a priority.
ICO also recommends that if your organisation works with people experiencing domestic abuse, it should make sure relevant staff know how to handle their data with extra care and is able to accommodate any requests for privacy, such as requesting their data is not shared.
Organisations should take steps to ensure the data held is accurate and reminding staff always double check before any personal information is transferred, altered or disclosed, e.g., double checking an address has been redacted, that an email address is correct, or double checking that all recipients are authorised to receive the information.
Nicole Jacobs, the Domestic Abuse Commissioner for England and Wales said: “That seven organisations have breached victims’ data in the past two years, with some sharing their address with the perpetrator, is extremely dangerous. For victims of domestic abuse, a data breach can be a matter of life or death.”
"Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe,” Edwards said.
The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.