The UK Information Commissioner has called on organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.
Since June 2022, the Information Commissioner’s Office (ICO) has issued reprimands to seven organisations for data breaches affecting victims of domestic abuse.
They include:
- Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation.
- Revealing identities of women seeking information about their partners to those partners.
- Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.
- Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.
Organisations involved include a law firm, a housing association, an NHS trust, a government department, local councils and a police service. Root causes for the breaches vary, but common themes are a lack of staff training and failing to have robust procedures in place to handle personal information safely.
“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.
“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.
“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm.
“Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”
– John Edwards, UK Information Commissioner
The ICO revised its approach to public sector enforcement last year. It aims to reduce the impact of fines on the public by working more closely with the public sector, encouraging compliance with data protection law to prevent harms before they happen. The reprimands provide clear instructions to these organisations on how to improve their data protection practices, and other organisations can apply the lessons to their own activities so similar incidents are less likely to happen.
Advice and guidance to help organisations handle people’s information appropriately
Have processes in place to support those who need it
If an organisation works with people experiencing domestic abuse, it should make sure relevant staff know how to handle their data with extra care and is able to accommodate any requests for privacy (for example, requesting their data is not shared), including when people have specific accessibility requirements such as needing an interpreter.
This could include specific training, placing notes on files, ensuring staff include information about data-handling when taking part in handovers, or regularly reminding all staff of the processes. It could also include the provision of accredited interpreters and translation services, so people whose first language is not English or people with hearing and vision impairment have their personal information handled safely and can fully exercise their information rights.
Regularly check contact information
Organisations should take steps to ensure the data held is accurate. Frequently checking with people that the information and instructions held for them are still true could prevent information being disclosed to an old address, email address or contact number.
Avoid inappropriate access
Organisations may hold personal information about someone a staff member knows personally. It must be clear to staff about what records they are allowed to access and consider what technical measures could be implemented, such as passwords and access controls.
Always double check
Many breaches can be prevented by ensuring staff always double check before any personal information is transferred, altered or disclosed. This may mean double checking an address has been redacted, double checking an email address is correct, or double checking that all recipients are authorised to receive the information.
Ensure training is thorough and relevant
While organisations should always have data protection training in place, it is important to make sure any training is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal data safely and securely.
