Edwards: Organisations must do everything to look after personal data
A family law firm that disclosed personal data about a woman and children to her rapist ex-partner has been highlighted in a warning over how data breaches are putting domestic abuse victims’ lives at risk.
Jackson Quinn, based in Nottinghamshire, was among seven organisations reprimanded by the Information Commissioner’s Office (ICO) in the past 14 months for data breaches affecting victims of domestic abuse.
The others were the Department for Work and Pensions, South Wales Police, Nottinghamshire County Council, Wakefield Council, the University Hospitals Dorset NHS Foundation Trust and Bolton at Home, a housing association.
The ICO said that, while the root causes for the breaches varied, common themes were a lack of staff training and failing to have robust procedures in place to handle personal information safely.
Jackson Quinn was representing two children in relation to step-parent adoption proceedings.
In the court bundle, the firm disclosed in error to the birth father two social worker reports containing information relating to the children, their mother, her husband (including current photographs) and extended family members, including the children’s school and the family’s address.
The birth father was representing himself and serving a prison sentence for three convictions of raping the mother.
“He is therefore deemed to pose a high risk to the mother and there is concern that he may attempt to use information disclosed within the Annex A reports to locate the mother, her husband and the children and seek to cause them harm,” the ICO told Jackson Quinn last year.
The ICO noted that the family had changed address and schools since the reports were compiled, however, giving the mother, step-father and children “some level of protection”.
Jackson Quinn claimed the third-party family members in the reports were all known to all parties involved in the case and while other third parties were named, information such as addresses were not included.
“Since the breach, the father had been ordered to return the reports to the prison, which were then destroyed. He no longer has a physical copy of the Annex A reports,” the ICO said.
“It was also discovered through the course of the investigation that Jackson Quinn was not properly redacting documents provided to the ICO. Information was still visible through the marker-pen redactions provided.”
The law firm also provided an out-of-date data protection policy to the ICO, and the link to the ICO website in it was incorrect.
The data protection policy was dated 2019 “and there is no version control, so employees would not know whether they are looking at the newest version or not”. The law firm had not provided “any evidence that the policy has been read or understood by staff.”
However, the ICO said it welcomed the “remedial steps” taken by the firm following the incident, including the creation of a specific policy on data protection in domestic abuse cases and adoption proceedings.
The ICO issued the law firm with a reprimand, highlighting the failure by Jackson Quinn to have a “suitable policy in place regarding the creation of adoption bundles”, and a general “lack of policies and procedures” at the time of the breach, meaning that “there were no guidelines for staff to follow”.
It recommended that the law firm update its data protection policy, consider implementing a written bundle creation policy and review its redaction policy, making sure that “appropriate software is used in future”.
Information Commissioner John Edwards said: “These families reached out for help to escape unimaginable violence, to protect them from harm and to seek support to move forward from dangerous situations. But the very people that they trusted to help, exposed them to further risk.
“This is a pattern that must stop. Organisations should be doing everything necessary to protect the personal information in their care.
“The reprimands issued in the past year make clear that mistakes were made and that organisations must resolve the issues that lead to these breaches in the first place.
“Getting the basics right is simple – thorough training, double checking records and contact details, restricting access to information. All these things reduce the risk of even greater harm.”
Leave a Comment