UK data regulator warns that data breaches put abuse victims’ lives at risk

The UK Information Commissioner's Office (ICO) has warned of the potential risks to life posed by data breaches exposing the personally identifiable information (PII) of domestic abuse victims. The data privacy regulator urged organizations handling the PII of domestic abuse victims to take responsibility for training their staff and putting appropriate systems in place to avoid such incidents.

The ICO has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse, including four cases of organizations revealing the safe addresses of victims to their alleged abuser and the disclosure of the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother.

Organisations involved include a law firm, a housing association, a National Health Service trust, a government department, local councils, and a police service. Root causes for the breaches vary, but common themes are a lack of staff training and failure to have robust procedures in place to handle personal information safely, the ICO said.

Organizations should do "everything necessary" to protect personal information

"These families reached out for help to escape unimaginable violence, to protect them from harm, and to seek support to move forward from dangerous situations," said John Edwards, UK Information Commissioner. "The very people that they trusted to help, exposed them to further risk."

This is a pattern that must stop, and organizations should be doing everything necessary to protect the personal information in their care, Edwards added. "The reprimands issued in the past year make clear that mistakes were made and that organizations must resolve the issues that lead to these breaches in the first place."

The basics of thorough training and restricting access to information can reduce the risk of even greater harm, Edwards said. "Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe."

If an organization works with people experiencing domestic abuse, it should make sure relevant staff know how to handle their data with extra care and that it is able to accommodate any requests for privacy, the ICO said. This could include specific training, ensuring staff include information about data handling on handovers, and regularly reminding staff of data security processes, the regulator added.

In May, the ICO called for "serious improvements" to data protection processes for organizations handling information on HIV sufferers, after reprimanding an NHS body in relation to a data breach.