The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.
The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.
They should make sure:
- Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
- A proper process is in place for address changes
- Data protection training is carried out, including refresher training.
In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner.
The incident reinforces the call by the Information Commissioner earlier this year for organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.
“This mistake was caused by a lack of appropriate refresher training, and the absence of a clear process. It led to significant distress and had the potential to put the victim in real danger.
“Vulnerable people need to be able to trust public sector organisations to look after their most sensitive details. We hope other organisations can learn from what went wrong in this case and ensure they know what to do to stop it happening at their organisation.”
- Natasha Longson, ICO Head of Investigations
Notes to editors
- The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.
- The ICO revised its approach to public sector enforcement last year. It aims to encourage greater data protection compliance from public authorities to prevent harms before they occur.