Data breaches put domestic abuse victims’ lives at risk, Information Commissioner warns

John Edwards said the breaches had put victims’ lives at risk.

In August 2022, South Wales Police had disclosed the identities of women who had applied for information under the Domestic Violence Disclosure Scheme and the Child Sex Offender Disclosure Scheme to the people they were requesting information about, or to their partners.

In one case, the partner had previous convictions for violence and sexual assault, said the Information Commissioner.

Other organisations involved include a law firm, a housing association, an NHS trust, a government department and local councils.

Most cases related to organisations inappropriately disclosing the victim’s home address to alleged perpetrators.

Mr Edwards said the reprimands issued since June 2022 “make clear that mistakes were made” and he is urging organisations to take responsibility for training their staff and putting appropriate systems in place to avoid such incidents.

He said personal information must be “handled properly” to avoid putting victims of domestic abuse at the risk of further danger.

The action is supported by organisations including Women’s Aid and the Domestic Abuse Commissioner for England and Wales.

Mr Edwards said: “These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.

“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.

“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm.

“Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”

The reprimands include four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation.

Other cases included disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother, and sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.

The Information Commissioner said root causes for the breaches vary, but common themes are a lack of staff training and failing to have robust procedures in place to handle personal information safely.

He said the reprimands provide clear instructions to these organisations on how to improve their data protection practices, and other organisations can apply the lessons to their own activities so similar incidents are less likely to happen.

“While organisations should always have data protection training in place, it is important to make sure any training is role-specific, tailored and relevant to the tasks being completed,” said the Information Commissioner. “Staff should feel confident in handling people’s personal data safely and securely.”

Domestic Abuse Commissioner Nicole Jacobs said: “It takes a huge amount of bravery for victims and survivors of domestic abuse to come forward, and many go to extreme lengths to protect themselves from the perpetrator. To then be exposed to further harm due to poor data handling is a serious setback.

“That seven organisations have breached victims’ data in the past two years, with some sharing their address with the perpetrator, is extremely dangerous. For victims of domestic abuse, a data breach can be a matter of life or death.

“I wholeheartedly support the information commissioner’s calls on organisations to handle the information of victims of domestic abuse safely. There is no room for basic mistakes – all organisations that handle victims’ data must implement proper training, robust processes, and regular checking.

“I welcome that the Information Commissioner has made the information of victims and survivors of domestic abuse a priority, and look forward to working together to keep all victims safe.”

Farah Nazeer, chief executive of Women’s Aid, added: “The safety of personal information for women and children experiencing domestic abuse is of the utmost importance and can be a matter of life and death. A perpetrator of domestic abuse assumes control of a woman throughout their relationship, and this does not end, but often escalates after separation.

“Women and their children are at significant risk when leaving an abusive partner and reaching out to public services – such as the police, councils, hospitals, lawyers, housing and benefits teams – for help. These highly concerning data breaches have undermined women’s safety, had severe consequences for women and children’s lives, and show just how urgently public services need to improve their understanding and responses to domestic abuse.

“We call on all public services working with survivors of domestic abuse to ensure that professionals have compulsory, in-depth training on domestic abuse, including the safety of personal information, which must be delivered by specialist domestic abuse organisations. We look forward to working with the Information Commissioner’s Office to improve awareness and understanding of data protection and domestic abuse.”