The Bulletin


.

For domestic violence victim-survivors, a data or privacy breach can be extraordinarily dangerous

  • Written by Catherine Fitzpatrick, Adjunct Associate Professor, School of Social Sciences, UNSW Sydney

A suite of recent cybersecurity data breaches highlight an urgent need to overhaul how companies and government agencies handle our data. But these incidents pose particular risks to victim-survivors of domestic violence.

In fact, authorities across Australia and the United Kingdom are raising concerns about how privacy breaches have endangered these customers.

The onus is on service providers – such as utilities, telcos, internet companies and government agencies – to ensure they don’t risk the safety of their most vulnerable customers by being careless with their data.

Read more: The $500 million ATO fraud highlights flaws in the myGov ID system. Here's how to keep your data safe[1]

A suite of incidents

Earlier this year, the UK Information Commissioner reported it had reprimanded[2] seven organisations since June 2022 for privacy breaches affecting victims of domestic abuse.

These included organisations revealing the safe addresses of the victims to their alleged abuser. In one case, a family had to be moved immediately to emergency accommodation.

In another case, an organisation disclosed the home address of two children to their birth father (who was in prison for raping their mother).

The UK Information Commissioner has called for better training and processes. This includes regular verification of contact information and securing data against unauthorised access.

In 2021, the Australian Information Commissioner and Privacy Commissioner took action against Services Australia[3] for disclosing a victim-survivor’s new address to her former partner.

The commissioner ordered a written apology and a A$19,980 compensation payment. It also ordered an independent audit of how Services Australia updates contact details for separating couples with shared records.

An earlier case[4] involved a telecommunications company and the publisher of a public directory.

The commissioner ordered them each to pay $20,000 to a victim of domestic violence whose details were made public, which jeopardised her safety.

More recently, the Energy and Water Ombudsman Victoria reported a case[5] where an electricity provider inadvertently provided a woman’s new address to her ex-partner. The woman had to buy security cameras for protection. The company has since revised its procedures.

The Energy and Water Ombudsman Victoria has also reviewed complaints[6] received in 2022-23 related to domestic violence. These include failing to flag accounts of victims who disclosed abuse, as well as potentially unsafe consumer automation and data governance processes.

The Victorian Essential Services Commission accepted a court-enforceable undertaking[7] from a water company that it would improve processes after allegations its actions put customers affected by family violence at risk.

The commission found the company failed to adequately protect the personal information of two separate customers in 2021 and 2022, by sending correspondence with their personal information to the wrong addresses.

In both cases, the customer had not disclosed their experience of domestic violence. Nevertheless, the regulator noted these “erroneous information disclosures put these customers at risk of harm”.

Australia’s Telecommunications Industry Ombudsman received about 300 complaints[8] involving domestic violence in 2022-23, with almost two-thirds relating to mobile phones.

Complaints included instances of telcos disclosing the addresses of victim-survivors to perpetrators or of frontline staff not believing victim-survivors. There were also cases of telcos insisting a consumer experiencing family violence contact the perpetrator of family violence. The report noted:

For example, one person was asked by her telco to bring her abusive ex-partner into a store to change her number to her new account.

We’ve also had complaints about telcos disconnecting the services of a consumer experiencing family violence – sometimes at the request of the account holder who is the perpetrator of the violence – despite access to those services being critical to the consumer staying safe.

The Australian Financial Complaints Authority resolved more than 500 complaints[9] from people experiencing domestic and family violence in 2021-22, including those related to privacy breaches.

A woman looks out a window.
Accidental privacy leaks can put customers who’ve experienced domestic violence at risk of serious harm. Basak Gurbuz Derman/Getty

Change is slowly under way

In May, new national rules[10] came into force to provide better protection and support to energy customers experiencing domestic violence.

These rules mandate retailers prioritise customer safety and protect their personal information. This includes account security measures to prevent perpetrators from accessing victim-survivors’ sensitive data.

They also prohibit the disclosure of information without consent. In issuing its rules, the Australian Energy Markets Commission noted the heightened risk of partner homicides following separations.

The Telecommunications Industry Ombudsman has called for mandatory, uniform and enforceable rules[11]. The current voluntary industry code and guidelines fall short in protecting phone and internet customers experiencing domestic violence.

New rules should include training, policies and recognition of violence as a cause of payment difficulties. They should also factor in how service suspension or disconnection affects victim-survivors.

The Australian Information and Privacy Commissioner said[12] last year:

Sadly, we continue to receive cases of improper disclosure of personal information off line by businesses to ex partners who target women in family disputes and domestic violence. All of these issues reinforce the need for privacy by design.

In its response to a review of the Privacy Act[13], the government has agreed the Office of the Australian Information Commissioner should help develop guidance to reduce risk to customers.

We must work harder to ensure data and privacy breaches do not leave victim-survivors of domestic violence at greater risk from perpetrators.

The National Sexual Assault, Family and Domestic Violence Counselling Line – 1800 RESPECT (1800 737 732) – is available 24 hours a day, seven days a week for any Australian who has experienced, or is at risk of, family and domestic violence and/or sexual assault.

References

  1. ^ The $500 million ATO fraud highlights flaws in the myGov ID system. Here's how to keep your data safe (theconversation.com)
  2. ^ reprimanded (ico.org.uk)
  3. ^ took action against Services Australia (www.austlii.edu.au)
  4. ^ earlier case (www.oaic.gov.au)
  5. ^ case (www.ewov.com.au)
  6. ^ reviewed complaints (www.ewov.com.au)
  7. ^ accepted a court-enforceable undertaking (www.esc.vic.gov.au)
  8. ^ 300 complaints (www.tio.com.au)
  9. ^ resolved more than 500 complaints (www.afca.org.au)
  10. ^ new national rules (www.aemc.gov.au)
  11. ^ mandatory, uniform and enforceable rules (www.tio.com.au)
  12. ^ said (www.oaic.gov.au)
  13. ^ review of the Privacy Act (www.ag.gov.au)

Authors: Catherine Fitzpatrick, Adjunct Associate Professor, School of Social Sciences, UNSW Sydney

Read more https://theconversation.com/for-domestic-violence-victim-survivors-a-data-or-privacy-breach-can-be-extraordinarily-dangerous-216630