The Information Commissioner’s Office (ICO) has published a report highlighting how organisations attached to the Victims Services Alliance (VSA) are looking after people’s information in compliance with the Data Protection Act (DPA).

The VSA is a national network of 69 charities and voluntary groups who work with victims of crime. They work to improve services to victims of crime, their families and others who may have been affected by crime. In order to provide these services they may be handling sensitive personal information, including details of individuals’ health and welfare. These organisations also rely on volunteers and temporary workers which means they can have a high turnover of staff.

The report provides an overview of the ICO’s findings from examining the data protection practices at five VSA organisations and the results of a data protection survey responded to by 27 representatives from other VSA members.

ICO Good Practice Group Manager for the Criminal and Justice Sector, Victoria Heath, said:

“Members of the Victims Services Alliance face a difficult challenge when it comes to looking after personal information. They often rely on a regular stream of volunteers to provide support to the victims they care for, while handling sensitive details relating to the abuse or mistreatment of vulnerable people. This creates a unique challenge and one we are pleased to say many organisations are meeting.

“Nevertheless, there are still a number of areas where organisations could be doing more to keep people’s information secure. For example, most VSA organisations don’t appear to have a formal retention schedule explaining when personal information should be securely deleted. There was also inconsistent advice given to home workers. With 41% of VSA staff working from home these are important issues that need addressing. Our report will help organisations achieve this by introducing relatively minor changes to their existing practices.”

Some of the areas of best practice identified in today’s outcomes report that other VSA organisations can learn from include:

  • The majority of staff (85%) are vetted by the Disclosure and Barring Service before being appointed.
  • The Criminal Justice Secure Mail email system is used for sending personal information between agencies ensuring the information remains secure.
  • Most staff working at VSA organisations are aware of the need to only record personal information that is adequate and relevant for a specific purpose.


The outcomes report also highlights the need for improvements in a number of priority areas including:

  • Organisations should identify which party is ultimately responsible for keeping the personal information being processed secure, known under the DPA as the data controller, and which organisation is only handling the information on behalf of another body, known under the DPA as a data processor.
  • Organisations need to have a formal home and remote working policy to ensure personal information continues to be handled correctly outside of the office.
  • Organisations should ensure that data sharing agreements are in place so that both parties know the circumstances under which personal information should be shared and the secure process for doing so.


The report provides links to relevant guidance from the ICO and other recognised bodies to help VSA organisations look after people’s information.

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  1. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.Our Press Office page provides more information for journalists.
  1. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive