UK Information Commissioner reprimands Charnwood Borough Council for disclosing the new address of a domestic abuse victim to her ex partner. Meanwhile in Australia there is a serious data breach involving 11,000 records of National Disability Insurance Agency.
November 30, 2023 |
Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.
The ICO’s media release provides:
The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.
The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.
They should make sure:
-
- Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
- A proper process is in place for address changes
- Data protection training is carried out, including refresher training.
In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner.
The incident reinforces the call by the Information Commissioner earlier this year for organisations to handle personal information properly to avoid putting victims of domestic abuse at the risk of further danger.
“This mistake was caused by a lack of appropriate refresher training, and the absence of a clear process. It led to significant distress and had the potential to put the victim in real danger.
“Vulnerable people need to be able to trust public sector organisations to look after their most sensitive details. We hope other organisations can learn from what went wrong in this case and ensure they know what to do to stop it happening at their organisation.”
– Natasha Longson, ICO Head of Investigations
The reprimand relevantly provides:
-
- The lack of a clear written process for address changes for staff to follow, and the fact that an alert was not put on the file which would have indicated the necessity to be extra vigilant when completing correspondence duties, is evidence that the Council had not done all that may be expected of an organisation that routinely deals with vulnerable service users.
- The Council was already aware of allegations of domestic abuse made against the ex-partner by the data subject when she called to inform the Council of a move to a new address. A member of staff added the data subject’s new address to the notes on the system rather than updating the address field, and there was no evidence that the data subject was informed that she would have to update her application herself by logging into it online. As such, the data subject believed her new address details to have been successfully updated.
- The Council sent a letter to her previous address that she shared with her ex-partner, advising of the need to update her address. This letter contained her new address and was subsequently confirmed to have been opened and read by her ex-partner.
- The system did not have a relevant alert function in place to indicate the necessity for staff to be extra vigilant when dealing with vulnerable service users.
- there was an absence of a written and well communicated process for dealing with correspondence in these circumstances for staff to use. In addition, the Council had not ensured that all members of staff, involved in this incident had received data protection training in the twelve months prior to the incident.
- this incident could have been avoided had there been a robust written process that staff were fully aware of, recent data protection training provided, and an appropriate alert system in place to highlight matters where extra vigilance and checking procedures would be required to ensure the protection of vulnerable service users.
Mitigating factors
-
- Remedial measures taken in the immediate aftermath of the incident were swift and appropriate including:
- guidance to staff regarding the importance of ensuring data is managed securely and the consequences of breaches, and the incorporation of data protection as a standard item in team meetings and staff one-to-one meetings.
- ensuring that all other intended remedial measures are fully implemented such as a letter creation feature with automatic correspondence address population, the addition of a relevant alert system, and a review of letter templates to ensure these reiterate the requirement for customers to update online applications following a change in address.
- ensuring that all staff who may deal with vulnerable service users are provided with robust guidance and training on the correct handling of personal data.
- Remedial measures taken in the immediate aftermath of the incident were swift and appropriate including:
Meanwhile in Australia a mini scandal involving the data breach is reported in itnews NDIA data breach claimed to impact 11,000 “records” The NDIA made not comment but has set out what it does in the event of a data breach. The data breach was caused by an insider, a well known but lesser reported form of data breach. GIven a staff member and a representative of a service provider have been arrested due to this breach it is reasonable to assume that profit was a motive, actual or potential.
The itNews story provides:
Exact number of participants caught up in incident is still unknown.
The National Disability Insurance Agency (NDIA) staffer charged in connection with a data breach is alleged to have shared around 11,000 “records” with at least one service provider associated with the scheme.
Government services minister Bill Shorten quantified the size of the data breach during a doorstop interview in Canberra.
“It appears … the charge is that this person is alleged to have provided about 11,000 records, not all participants, to providers,” Shorten said.
Shorten would not confirm the actual number of participants who had their data leaked, or clarify the participants-to-records ratio.
He would only say that the number of participants caught up is “a smaller number than the 11,000 [records].”
Shorten suggested the alleged unauthorised sharing of data had not been occurring for a long time.
He noted it was “not a cyber breach” of the agency, but instead a case of insider threat.
“We don’t think it’s been going on for a very long time,” he said.
“I don’t want to comment too much more about the individual investigation, but certainly it is the case that someone who was working within the public service at the NDIA has provided information of a personal nature, and we’ve acted.”
Earlier, iTnews reported that “some” of the information disclosed on participants included “full name, date of birth, gender address, including postcode,” but that “in a small number of cases … further details [were] disclosed.”
The staffer, and a person associated with one service provider, have been arrested and charged.
The agency said it “believes this incident is financially motivated”.
It said that all impacted individuals would be directly contacted by the NDIA.