The Information Commissioner’s Office (ICO) has warned that data breaches are putting domestic abuse victims’ lives at risk. The privacy watchdog has revealed that seven organisations have inadvertently released vital information about vulnerable individuals, in some cases to their abusers, within the past 14 months.
Information commissioner John Edwards today urged institutions housing these kinds of data to take responsibility for training their staff and to put appropriate systems in place to avoid such incidents.
How data on domestic abuse victims has leaked
Organisations accused of putting customers at risk include a law firm, a housing association, an NHS trust, local authorities and a police service. In many cases, a lack of staff training and failure to have robust procedures in place to handle personal information safely are to blame for the breaches, Edwards said. The ICO has issued seven reprimands about this since June 2022.
In four cases, organisations revealed the safe addresses of victims to their abusers, leading directly to one household having to move to emergency accommodation. In another case, the new identities of women were leaked to their abusers when they asked for information about said abusers.
The home addresses of two adopted children were disclosed to their birth father who was in prison on three counts of raping their mother, while an unredacted assessment report concerning children at risk of harm was sent out to the ex-partners of their mothers.
The ICO is advising companies that hold sensitive data to regularly check contact information and to avoid allowing staff inappropriate access to this information. It says organisations should always double-check before any information is transferred, and ensure that training, once implemented, is thorough and relevant.
Data handling mistakes are being made
Edwards said organisations “should be doing everything necessary to protect the personal information in their care”. He said: “The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.”
The basics of data safeguarding are simple, he added: “Thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm,” Edwards said.
As reported by Tech Monitor last month, the ICO reprimanded three organisations for leaking NHS patient data through unsafe data transfers. Identities of patients experiencing gender dysphoria were accidentally released by a Patient and Client Council in Northern Ireland.
The ICO also rebuked Northern Ireland’s Executive Office for sending an e-newsletter concerning a Historical Institutional Abuse (HIA) inquiry to 251 subscribers in a way that showed all the email addresses of the recipients. “It can be inferred that the people included in the email were likely to be victims and survivors,” of domestic abuse, the ICO said, “as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging, with the HIA Inquiry compensation scheme.”
Last November, a data breach at Suffolk Police saw details of sexual assault victims posted online. Though the information was apparently only available for a short period, this would be long enough to “put women at risk of further violence,” the Suffolk Rape Crisis organisation said at the time.