12 December, 2023
The Information Commissioner Office (ICO) has announced it has taken enforcement action against Charnwood Borough Council following an incident where the Council disclosed a woman's new address to her ex-partner who she had accused of domestic abuse.
Following an investigation, the ICO has concluded that the Council infringed the following provision of the UK GDPR:
Article 5(1)(f) - personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
In their findings, the ICO determined that the Council did not properly communicate the process to make address changes to the individual and that there was an absence of a documented process for dealing with correspondence in sensitive circumstances, such as cases of alleged domestic abuse.
The ICO found that a member of staff inputted the woman's new address onto the notes section of the Council's system, rather than updating the address field. Additionally, the woman was not advised that she needed to complete her address change online herself in order for the address to be successfully updated. As a result of the address change online not happening, the Council wrote to the woman at her previous address (where her ex-partner resided) advising her of the need to update her address. The letter contained the details of the woman's new address. Given the allegations of domestic abuse, the disclosure of her new address caused significant distress to her and put her at risk of harm.
The ICO also highlighted a lack of staff training as its investigation discovered that not all staff involved in the incident had received data protection training in the 12 months prior to the incident.
The reprimand also details further action the ICO recommends that the Council takes to ensure compliance with the UK GDPR. This includes:
Ensure that the Council completes all remedial measures it has suggested in the Action Plan it provided to the ICO as soon as possible;
Provide regular refresher training for staff to ensure staff knowledge of the need to be vigilant when processing the personal data of vulnerable service users, such as those who have suffered domestic abuse;
Ensure that all staff who may deal with vulnerable service users are provided with robust guidance and training on the correct handling of personal data.
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
The announcement of this reprimand comes only two months after the ICO warned that data breaches put domestic abuse victims lives at risk (Data breaches put domestic abuse victims' lives at risk, UK Information Commissioner warns | ICO). In that warning the ICO confirmed that 7 reprimands had been issues over the previous year for data breaches affecting victims of domestic abuse, most for cases related to organisations inappropriately disclosing the victim's home address to alleged perpetrators.
In this case, the breach could have been avoided in several ways including by either not sending the correspondence to the previous address or not including the reference to the new address in the correspondence. The ICO's reprimand suggests a lack of training and awareness contributed to the breach occurring.
Staff awareness is crucial to prevent data breaches from occurring in the first instance. Regular data protection training should include how to protect personal data and the consequences of failing to protect personal data so that staff are aware of the risks of disclosing personal data incorrectly.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here