The Information Commissioner’s Office (ICO) has issued reprimands to seven organisations for data breaches that have affected victims of domestic abuse. The organisations include a law firm, a housing association, an NHS trust, a Government department, local councils, and a Police service.
Four of the breaches involved an organisation releasing the safe address of victims to their alleged abuser. In one case, this resulted in the victim and their family needing to be moved into emergency accommodation.
The ICO conducted a full investigation and found that although the cause of the breaches was varied, there was a common theme between them. The ICO found that there was a lack of staff training and insufficient procedures in place to enable the organisations to handle personal data safely.
As a result of the above, the ICO has released some advice and guidance to help organisations handle personal data appropriately.
Having processes in place
One of the suggestions put forward by the ICO is that organisations should have processes in place to support those who need it. The ICO made it clear that if an organisation works with people experiencing domestic abuse it should make sure that the staff dealing with the data are sufficiently trained so that they know how to handle it. This could be achieved by giving specific training to staff, placing notes on files, ensuring that staff include information about data handling when doing handovers, and/or regularly reminding staff of the processes for processing personal data.
Checking contact information
The ICO has suggested that organisations should ensure that any data held is accurate. This is something that organisations should be doing anyway in accordance with the accuracy principle. Article 5(1)(d) of the UK GDPR says personal data shall be:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
Specifically, the ICO has suggested that organisations should be frequently checking with people that the information held is still true to prevent information from being disclosed to an old address, email address, or contact number. However, if an organisation is processing a lot of different individuals’ data this could be very difficult and time consuming in practice.
Avoid inappropriate access
The ICO has said that employers need to make it clear to staff members what records they are allowed to access and consider what technical measures could be implemented to ensure that only the relevant members of staff can access the information.
Always double check
Another suggestion by the ICO is that staff should double-check before any data is transferred, altered, or disclosed. This could be implemented into a policy.
Ensure training is thorough and relevant
As a minimum, organisations should provide their employees with data protection training. The ICO has however suggested that this training should go one step further and that training should be role-specific, tailored, and relevant to the tasks being undertaken by the employee.
Comment
The Information Commissioner, John Edwards has said the following in relation to the breaches:
“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.
This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.
Getting the basics right is simple – thorough training, double checking records, and contact details, restricting access to information – all these things reduce the risk of even greater harm.
Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe.”
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice concerning the subject discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us