Information commissioner John Edwards has called on public and private sector organisations to do more to protect victims of domestic abuse after a series of breaches that disclosed personal information and put lives in danger.
The Department for Work and Pensions is one of seven organisations that have been repremanded by the Information Commissioner’s Office in the past 14 months for wrong disclosures that affected domestic-abuse victims – most commonly by inappropriately giving victims’ home addresses to alleged perpetrators. Edwards said the watchdog is now making the protection of domestic-violence victims’ information rights a priority.
DWP was given a reprimand in October last year after it failed to test that a printing application worked properly with another app used to compile online casework bundles for child maintenance appeals .
As a result, personal data relating to 16 individuals was inappropriately disclosed to third parties because documents were printed in unredacted form. In one case, a person’s address was revealed to an ex-partner who has a history of domestic violence.
The other organisations named by the ICO included Nottinghamshire County Council, Wakefield Council, social-housing provider Bolton at Home, South Wales Police, University Hospitals Dorset NHS Foundation Trust, and law firm Jackson Quinn.
As well as multiple cases of organisations giving supposedly safe addresses of domestic violence victims to their alleged abusers, some women who had been seeking information about their partners had their identities revealed to those partners.
Other cases saw unredacted assessment reports about children at risk of harm being sent to their mother’s former partners and the home address of two adopted children being disclosed to their birth father, who was in prison on three counts of raping the children’s mother.
One of the data breaches resulted in a family having to be moved immediately to emergency accommodation to protect their safety.
Edwards said it was imperative for organisations working with people experiencing domestic abuse to have staff who know how to handle data with extra care and that the ICO’s reprimands highlighted significant failings on the part of the organisations involved.
“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations,” he said. “But the very people that they trusted to help, exposed them to further risk.
“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care.
“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information – all these things reduce the risk of even greater harm.”
Domestic abuse commissioner for England and Wales Nicole Jacobs said victims and survivors went to extreme lengths to protect themselves from perpetrators and being exposed to extra harm by poor data-handling was a “serious setback”.
“For victims of domestic abuse, a data breach can be a matter of life or death,” she said. “There is no room for basic mistakes – all organisations that handle victims’ data must implement proper training, robust processes, and regular checking.”
The ICO reprimand issued to DWP last October said the department had begun using the Xerox Reprographics application with child maintenance appeals bundles but did not do a data-protection impact assessment because the application was in use in other service areas.
However, the redaction requirements for child maintenance appeals are different to the other types of appeal casework where the app had already been used and the redaction functionality of the app was not tested.
It subsequently emerged that Xerox Reprographics was not compatible with another app used to create online bundles for child maintenance appeals and redact documents. The result was that online redactions were not made to the printed versions of bundles sent out to individuals and unredacted documents disclosed the personal data of 16 people.
The reprimand letter said DWP had “been negligent in ensuring the security and the confidentiality of the personal data it processes in CM appeals”. It also noted that the department had failed to report the incident to the ICO within 72 hours of being made aware of it, which is a UK GDPR requirement.
The letter said 17 days had elapsed between the first complaint being made to the department and the report being made to the IPO.
A DWP spokesperson said the department had taken immediate action to ensure no further breaches occurred, corrected staff guidance, and raised awareness about the need for any new software to be thoroughly tested before introduction.
“We have apologised to those affected by this rare breach and have taken swift action to prevent this happening again, including accepting the ICO recommendations in full,” the spokesperson said.
DWP added that those affected by its data breach had also been paid compensation.