Data breaches put domestic abuse victims at risk, UK’s ICO warns

“This is a pattern that must stop,” says the Information Commissioner’s Office.

Data breaches can put victims of domestic abuse in grave danger, the UK Information Commissioner (ICO) has warned, and has called on organizations to handle personal information with care in order to avoid further risks.

Since June 2022, the ICO has issued reprimands to seven organizations for data breaches that have affected victims of domestic abuse.

The reprimanded organizations included a law firm, a housing association, a NHS trust, a government department, local councils, and a police service, who all breached sensitive data. The breaches included:

  • Revealing, in four instances, the safe addresses of the victims to their alleged abuser. In one of those cases, the victim’s family had to be moved to emergency accommodation immediately.
  • Revealing identities of women who were seeking information about their partners – to those partners.
  • Disclosing the home address of two adopted children to their birth father – who was in prison on three counts of raping their mother.
  • Sending an unredacted assessment report about children at risk of harm – to their mother’s ex-partners.

Failing to have proper routines

The causes of the data breaches varied among the organizations, but the ICO says that the common themes are a lack of staff training, as well as failing to have proper procedures in place to handle personal information safely.

“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk,” said John Edwards, UK Information Commissioner.

“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.”

John Edwards, ICO Information Commissioner
John Edwards, ICO Information Commissioner. Photo: ICO

The ICO did not name the organizations, but the Norfolk and Suffolk constabularies earlier announced a large data breach that included sensitive information on domestic abuse victims.

Personal and identifiable information on a total of 1,230 victims, witnesses, and suspects, had been leaked due to an error. The leaked data included descriptions of offences, and was related to a range of offences, including domestic incidents, sexual offences, assaults, thefts and hate crime. 

“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.”

John Edwards, UK Information Commissioner

The warning is intended to encourage organizations to take responsibility for setting up adequate systems, procedures and also ensure adequate training is provided to employees in order to avoid further incidents.

“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm,” Edwards continued.

“Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”

Last year, the ICO revised its approach on enforcement actions in the public sector, emphasizing closer collaboration with organizations, replacing fines with reprimands and providing ‘lessons learned’ reports in order to ensure further breaches of data protection rules are avoided.

The ICO’s advice and guidance to handle people’s information appropriately

1. Have processes in place to support those who need it

Make sure that relevant employees know how to handle and care for sensitise data, like victims of domestic abuse. That includes being able to accommodate any requests for privacy, like requests to have data not shared, or when people have specific accessibility requirements – for example needing an interpreter.

The processes could include specific training, placing notes on files, ensure that staff are including information about data-handling with handovers, or regularly reminding all staff of the processes.

Another step can be to include the provision of accredited interpreters and translation services – to serve people whose first language is not English, or to make sure that people with hearing and vision impairment have their personal information handled safely and can fully exercise their information rights.

2. Regularly check contact information

Make sure that the data you/your organization hold is correct and up to date. Make frequent checks to make sure that the data you hold is still true to prevent disclosing old information.

3. Avoid inappropriate access

Make it clear to the employees what kind of records they are allowed to access – and consider the fact that the organizations might hold information on people the staff might know personally. Also consider what technical measures that could be implemented – like passwords and access controls.

4. Always double check

Always double check the information before any personal information is transferred, altered or disclosed. For example, check if the address has been redacted, if the email address is correct, if the recipients are authorised to receive the information.

5. Ensure training is thorough and relevant

Make the data training role-specific, tailored and relevant so employees feel confident in handling people’s personal data safely and securely.