The UK’s privacy regulator has warned organizations handling the personally identifiable information (PII) of domestic abuse victims that data breaches could put lives at risk.
The latest missive from the Information Commissioner’s Office (ICO) follows reprimands issued by the watchdog to seven organizations in the past 14 months after sensitive PII was breached.
The ICO said the organizations in question included a law firm, a housing association, an NHS trust, a government department, local councils and a police service. The cases include:
- Four instances where organizations revealed the safe addresses of the victims to their alleged abuser. In one case a family had to be immediately moved to emergency accommodation
- Accidentally revealing the identities of women seeking information about their partners to those partners
- Disclosing the home address of two adopted children to their birth father, who was in prison on three counts of raping their mother
- Sending an unredacted assessment report about children at risk of harm to their mother’s ex-partners
Read more on data breaches: UK Regulator: HIV Data Protection Must Improve
In most of these cases, a lack of staff training and robust procedures for data handling were to blame, the ICO claimed.
“These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk,” said information commissioner, John Edwards.
“This is a pattern that must stop. Organizations should be doing everything necessary to protect the personal information in their care. The reprimands issued in the past year make clear that mistakes were made and that organizations must resolve the issues that lead to these breaches in the first place.”
Edwards said getting the basics right doesn’t have to be hard. It includes double-checking records before PII is transferred, altered or disclosed, and ensuring any data held is always accurate, so that it isn’t disclosed to an old address, email address or contact number.
It should also mean restricting access to sensitive information, such as via passwords and access controls, he added. Data protection training should be “role-specific, tailored and relevant to the tasks being completed,” the ICO added.
“Protecting the information rights of victims of domestic abuse is a priority area for my office, and we will be providing further support and advice to help keep people safe,” concluded Edwards.