Data breaches put domestic abuse victims’ lives at risk, Commissioner warns

Data breaches from organisations such as law firms, housing associations, NHS trusts, the police and a government department could have put domestic abuse victims’ at risk of further danger, the UK Information Commissioner has warned.

The commissioner has called on organisations to handle personal information properly to avoid putting victims of domestic abuse at further risk.

The Information Commissioner’s Office (ICO), which has issued reprimands to seven organisations for data breaches affecting victims of domestic abuse since June 2022, said most cases related to inappropriate disclosure of the victim’s home address to alleged perpetrators.

John Edwards (pictured), the UK Information Commissioner, said: “These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.”

He said called on organisations to handle personal information properly and stressed that “getting the basics right is simple” through training, double checking records and contact details and restricting access to information.

The ICO reprimands were handed out in four cases where the safe addresses of the victims were released to their alleged abuser.

In one case, a family had to be immediately moved to emergency accommodation.

Organisations had also revealed the identities of women seeking information about their partners to those partners.

In another case, they gave the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.

There was also a breach in which an unredacted assessment report about children at risk of harm was sent to their mother’s ex-partners.

The ICO said the organisations involved include a law firm, a housing association, an NHS trust, a government department, local councils and a police service.

A lack of staff training and failing to have robust procedures in place to handle personal information safely were among the various reasons for the breaches.

Mr Edwards continued: “This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care.

“The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.”

He added: “Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”

Nicole Jacobs, the Domestic Abuse Commissioner for England and Wales, said: “It takes a huge amount of bravery for victims and survivors of domestic abuse to come forward, and many go to extreme lengths to protect themselves from the perpetrator. To then be exposed to further harm due to poor data handling is a serious setback.

“That seven organisations have breached victims’ data in the past two years, with some sharing their address with the perpetrator, is extremely dangerous. For victims of domestic abuse, a data breach can be a matter of life or death.”

Kelly Andrews, the chief executive of Belfast and Lisburn Women’s Aid, said: “In the most serious cases lives are at risk. We encourage organisations to read the guidance and ensure staff are trained in handling confidential and sensitive data to better protect victims and prevent further harm.”

The ICO revised its approach to public sector enforcement last year. It aims to reduce the impact of fines on the public by working more closely with the public sector, encouraging compliance with data protection law to prevent harms before they happen.

The reprimands give instructions to the organisations on how to improve their data protection practices.

Copyright (c) PA Media Ltd. 2023, All Rights Reserved. The UK Information Commissioner.