Information Commissioner names and shames two councils in warning about data breaches putting lives of domestic abuse victims at risk

The Information Commissioner has called on organisations to handle personal information responsibly after the watchdog revealed that it had reprimanded seven organisations, including two councils, in the last 15 months over data breaches affecting victims of domestic abuse.

The two councils were Wakefield Borough Council and Nottinghamshire County Council.

The five other organisations listed in the warning included a law firm, a housing association, an NHS trust, the Department for Work and Pensions, and South Wales Police.

Wakefield was reprimanded by the ICO after the council – as part of child protection legal proceedings – sent a court bundle containing the mother's home address and her two children to the children's father.  

The mother was described as fearful of the father due to a history of ongoing domestic violence and a break-in at her previous accommodation, according to the ICO.

As a result of the breach, the mother and her children had to move into emergency alternative accommodation on the same day of the breach.

In the case of Nottinghamshire, a social worker sent copies of an assessment report on two children to the mother and two ex-partners.

The report contained sensitive personal information that should have been redacted from the copies sent to the partners, the ICO said.

The ICO said root causes for the breaches varied, but common themes were a lack of staff training and failing to have robust procedures in place to handle personal information safely.

John Edwards, UK Information Commissioner, said the prevalence of these data breaches, exposing the victims to further risk, was "a pattern that must stop".

He added: "Organisations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear mistakes were made and organisations must resolve the issues that lead to these breaches in the first place.

"Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information - all these things reduce the risk of even greater harm.

"Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe."

The Domestic Abuse Commissioner for England and Wales, Nicole Jacobs, "wholeheartedly" supported the Information Commissioner's calls on organisations to handle the information of victims of domestic abuse safely.

Jacobs said: "It takes a huge amount of bravery for victims and survivors of domestic abuse to come forward, and many go to extreme lengths to protect themselves from the perpetrator. To then be exposed to further harm due to poor data handling is a serious setback. 

"That seven organisations have breached victims' data in the past two years, with some sharing their address with the perpetrator, is extremely dangerous. For victims of domestic abuse, a data breach can be a matter of life or death."

Gillian Marshall, Wakefield Council’s Chief Legal Officer, said: “Any data breach is unacceptable but in situations like this there could be significant consequences. This is why we acted very quickly and took immediate action to ensure the safety of those affected.

“We were determined to ensure what we learnt was implemented across the whole organisation. We worked with the Information Commissioner’s Office to develop an action plan which is now complete.  There are new internal processes which are regularly tested and reviewed alongside ongoing assurance checks to prevent this from happening again.”

Nottinghamshire County Council has been approached for comment.

Adam Carey