After revealing details of various organisations that have been censured in the last 15 months, the UK’s information watchdog has warned that the failure to protect data can cost lives
After reprimanding a range of public bodies in recent months over data breaches affecting domestic abuse victims, the Information Commissioner John Edwards has warned that such incidents can put lives at risk.
The regulator has today released details of seven formal reprimands issued since June 2022 – including four instances in which an alleged abuser was provided with a new safe address where their victim was staying.
Edwards said: “These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk. This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.”
The organisations reprimanded include: the Department for Work and Pensions; South Wales Police; Wakefield Council; Nottinghamshire County Council; University Hospitals Dorset NHS Foundation Trust; housing association Bolton at Home; and solicitors’ firm Jackson Quinn.
Related content
The 15-month timeframe in which the reprimands were issued covers the period since the Information Commissioner’s Office launched a new approach to working with the public sector. The revised model is characterised by moving away from punitive financial penalties and focusing on supporting organisations in raising standards – as well as shining a light on existing data-protection shortcomings and their impact, through an increase in public reprimands.
Alongside publicising the recent action taken against the seven organisations, the watchdog issued a five-point checklist to ensure that information is handled safely and compliantly: have processes in place to support those who need it; regularly check contact information; avoid inappropriate access; always double check; and ensure training is thorough and relevant.
Edwards added: “Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm. Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”
Breach details
Of the seven incidents revealed today, perhaps the most impactful involved Wakefield Council which, in a court bundle, erroneously provided the home address of a mother and two children to the children’s father – who had “a history of ongoing domestic violence and a break-in to her previous accommodation”. The breach resulted in the mother and children being moved immediately into emergency accommodation.
Gillian Marshall, Wakefield Council’s chief legal officer, said: “Any data breach is unacceptable but in situations like this there could be significant consequences. This is why we acted very quickly and took immediate action to ensure the safety of those affected. We were determined to ensure what we learnt was implemented across the whole organisation. We worked with the Information Commissioner’s Office to develop an action plan which is now complete. There are new internal processes which are regularly tested and reviewed alongside ongoing assurance checks to prevent this from happening again.”
The breach involving the Department for Work and Pensions related to a software application for redacting sensitive documents that had not been properly tested, leading to the intended redactions not being reflected in printed documents. This ultimately resulted in a person’s address being disclosed to a former partner with a history of domestic violence.
A spokesperson for the DWP said: “We have apologised to those affected by this rare breach and have taken swift action to prevent this happening again, including accepting the ICO recommendations in full.”
A social worker at Nottinghamshire County Council sent copies of assessment reports related to two children to their mother – and two of her ex—partners, who should have received a redacted version.
South Wales Police disclosed the identities of two women who had requested the provision of information under the Domestic Violence Disclosure Scheme and the Child Sex Offender Disclosure Scheme. The women’s personal data was wrongly provided to the people about whom they had requested data – or those people’s partners, one of whom had convictions for sexual assault and other violent crimes.
In a statement, the force said: “South Wales Police received a complaint in 2020 raising serious concerns about two applications made under the Domestic Violence Disclosure Scheme (Clare’s Law). The matter was investigated and referred to the Independent Office for Police Conduct and Information Commissioner’s Office to ensure it received the necessary independent oversight. We fully accept the findings of the ICO investigation and have already introduced training to ensure that our staff and officers have the correct level of knowledge and understanding to ensure we meet the requirements of data protection legislation when making disclosures under Clare’s Law.”
The breach involving Dorset NHS Trust came as a result of a process by which letters would include – without consent – the full postal address of all recipients. This led to someone’s ex-partner – and alleged abuser – being provided with their home address.
Bolton at Home left a voice message on the phone of the husband of a woman who was seeking alternative accommodation of her own in light of alleged abuse. The message contained details of the new address to which she was planning to move.
A spokesperson for the housing association said: “We fully supported the ICO’s investigation into what was a serious and regrettable incident. We never want to fall short of meeting customers’ needs and we’re sorry this happened. Data protection is of the utmost importance to us, and we’ve taken significant steps to minimise the risk of further breaches since this incident happened in March 2021. This includes a thorough review of processes and additional training for our staff. We took all the actions recommended by the ICO and kept them up to date with our progress. The ICO informed us in November 2022 they considered the matter closed.”
As part of a stepparent adoption proceedings, Jackson Quinn – a Nottinghamshire-based firm which specialises in family law – disclosed personal information in two reports provided to a father who is currently in prison for three convictions for raping the mother of his children.
The company – along with Dorset NHS Trust and Nottinghamshire Council – has been contacted by PublicTechnology requesting comment. We were awaiting response from all three at time of going to press.