Data breaches put domestic abuse victims’ lives at risk, UK Information Commissioner warns

Warning comes after the ICO reprimands seven organisations in the past 14 months for data breaches affecting victims of domestic abuse.
Most cases related to organisations inappropriately disclosing the victim’s home address to alleged perpetrators.
Commissioner urges organisations to take responsibility for training their staff and putting appropriate systems in place to avoid such incidents.
The action is supported by organisations including Women’s Aid and the Domestic Abuse Commissioner for England and Wales

The UK Information Commissioner has today called on organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.

Since June 2022, the Information Commissioner’s Office (ICO) has issued reprimands to seven organisations for data breaches affecting victims of domestic abuse.

They include:

Four cases of organisations revealing the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation.
Revealing identities of women seeking information about their partners to those partners.
Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.
Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners.

Organisations involved include a law firm, a housing association, an NHS trust, a government department, local councils and a police service. Root causes for the breaches vary, but common themes are a lack of staff training and failing to have robust procedures in place to handle personal information safely.

“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.

“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.

“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information - all these things reduce the risk of even greater harm.

"Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”

- John Edwards, UK Information Commissioner

The ICO revised its approach to public sector enforcement last year. It aims to reduce the impact of fines on the public by working more closely with the public sector, encouraging compliance with data protection law to prevent harms before they happen. The reprimands provide clear instructions to these organisations on how to improve their data protection practices, and other organisations can apply the lessons to their own activities so similar incidents are less likely to happen.

Advice and guidance to help organisations handle people’s information appropriately

Have processes in place to support those who need it

If an organisation works with people experiencing domestic abuse, it should make sure relevant staff know how to handle their data with extra care and is able to accommodate any requests for privacy (for example, requesting their data is not shared), including when people have specific accessibility requirements such as needing an interpreter.

This could include specific training, placing notes on files, ensuring staff include information about data-handling when taking part in handovers, or regularly reminding all staff of the processes. It could also include the provision of accredited interpreters and translation services, so people whose first language is not English or people with hearing and vision impairment have their personal information handled safely and can fully exercise their information rights.

Regularly check contact information

Organisations should take steps to ensure the data held is accurate. Frequently checking with people that the information and instructions held for them are still true could prevent information being disclosed to an old address, email address or contact number.

Avoid inappropriate access

Organisations may hold personal information about someone a staff member knows personally. It must be clear to staff about what records they are allowed to access and consider what technical measures could be implemented, such as passwords and access controls.

Always double check

Many breaches can be prevented by ensuring staff always double check before any personal information is transferred, altered or disclosed. This may mean double checking an address has been redacted, double checking an email address is correct, or double checking that all recipients are authorised to receive the information.

Ensure training is thorough and relevant

While organisations should always have data protection training in place, it is important to make sure any training is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal data safely and securely.

Notes to Editors

The ICO revised its approach to public sector enforcement last year. It aims to encourage greater data protection compliance from public authorities to prevent harms before they occur.

Reprimands issued in the past 14 months:

Bolton at Home (June 2022): A woman seeking alternative accommodation after alleged domestic abuse contacted Bolton at Home. The organisation left a message on her husband's phone number, who she was intending to leave, and which contained details of the new address she planned to move to.
South Wales Police (August 2022): South Wales Police disclosed the identities of women who had applied for information under the Domestic Violence Disclosure Scheme and the Child Sex Offender Disclosure Scheme to the people they were requesting information about, or to their partners. In one case, the partner had previous convictions for violence and sexual assault.
Jackson Quinn solicitors (August 2022): Jackson Quinn was representing two children in relation to stepparent adoption proceedings at the family court. The firm disclosed two reports containing personal information and the home address of the family to the birth father in error. The birth father is currently serving a prison sentence for three convictions of raping the mother.
Wakefield Council (September 2022): The ICO reprimanded the council after sending a court bundle, as part of Child Protection Legal Proceedings, which included the home address of the mother and her two children to the children’s father. The mother was described as fearful of the father due to a history of ongoing domestic violence and a break-in to her previous accommodation. As a result of the breach, the mother and her children had to move into emergency alternative accommodation on the same day of the breach.
Department for Work and Pensions (October 2022): The DWP failed to test a software application that redacted official documents, resulting in the redactions not appearing in official material when printed. This resulted in the inappropriate disclosure of personal information including one person’s address that was revealed to their ex-partner who had a history of domestic violence.
University Hospitals Dorset NHS Foundation Trust (April 2023): The Trust had a procedure in place that when sending a letter, it would include the full postal address of other recipients of that letter without obtaining their consent to do so. In this case, an address was disclosed to an ex-partner of the person affected, something they particularly wished to be withheld following previous allegations of abuse.
Nottinghamshire County Council (August 2023): The Council Assessment Service is responsible for preparing Child and Family Assessments, which assess the needs of vulnerable children in situations where there are concerns about their parents or caregivers. A social worker sent copies of an assessment report on two children to the mother and two ex-partners. The report contained sensitive personal information that should have been redacted from the copies sent to the partners.

Supportive quotes

Nicole Jacobs, the Domestic Abuse Commissioner for England and Wales said:

“It takes a huge amount of bravery for victims and survivors of domestic abuse to come forward, and many go to extreme lengths to protect themselves from the perpetrator. To then be exposed to further harm due to poor data handling is a serious setback.

“That seven organisations have breached victims’ data in the past two years, with some sharing their address with the perpetrator, is extremely dangerous. For victims of domestic abuse, a data breach can be a matter of life or death.

“I wholeheartedly support the information commissioner’s calls on organisations to handle the information of victims of domestic abuse safely. There is no room for basic mistakes – all organisations that handle victims’ data must implement proper training, robust processes, and regular checking.

“I welcome that the Information Commissioner has made the information of victims and survivors of domestic abuse a priority, and look forward to working together to keep all victims safe.”

Geraldine Hanna, Commissioner Designate for Victims of Crime, Northern Ireland, said:

“I welcome the ICO’s focus and action taken in this area. The reality is that a basic human error can have devastating consequences for the safety of victims and their children.

“It is essential that all organisations ensure that robust systems are in place alongside mandatory staff training to ensure that victims’ personal information is handled safely and securely.”

Farah Nazeer, Chief Executive of Women's Aid said:

“The safety of personal information for women and children experiencing domestic abuse is of the utmost importance and can be a matter of life and death. A perpetrator of domestic abuse assumes control of a woman throughout their relationship, and this does not end, but often escalates after separation.

“Women and their children are at significant risk when leaving an abusive partner and reaching out to public services – such as the police, councils, hospitals, lawyers, housing and benefits teams – for help. These highly concerning data breaches have undermined women’s safety, had severe consequences for women and children’s lives, and show just how urgently public services need to improve their understanding and responses to domestic abuse.

“We call on all public services working with survivors of domestic abuse to ensure that professionals have compulsory, in-depth training on domestic abuse, including the safety of personal information, which must be delivered by specialist domestic abuse organisations. We look forward to working with the Information Commissioner’s Office to improve awareness and understanding of data protection and domestic abuse.”

Kelly Andrews, Chief Executive of Belfast and Lisburn Women’s Aid, said:

"We welcome the Information Commissioner’s action, highlighting the detrimental impact on victims and survivors of domestic abuse when organisations inappropriately share and breach data laws. In the most serious cases lives are at risk. We encourage organisations to read the guidance and ensure staff are trained in handling confidential and sensitive data to better protect victims and prevent further harm."

About the Information Commissioner’s Office (ICO)

The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.