For domestic violence victim-survivors, a data or privacy breach can be extraordinarily dangerous

A suite of recent cybersecurity data breaches highlight an urgent need to overhaul how companies and government agencies handle our data. But these incidents pose particular risks to victim-survivors of domestic violence.

In fact, authorities across Australia and the United Kingdom are raising concerns about how privacy breaches have endangered these customers.

The onus is on service providers – such as utilities, telcos, internet companies and government agencies – to ensure they don’t risk the safety of their most vulnerable customers by being careless with their data.

Read more: The $500 million ATO fraud highlights flaws in the myGov ID system. Here's how to keep your data safe^[1]

A suite of incidents

Earlier this year, the UK Information Commissioner reported it had reprimanded^[2] seven organisations since June 2022 for privacy breaches affecting victims of domestic abuse.

These included organisations revealing the safe addresses of the victims to their alleged abuser. In one case, a family had to be moved immediately to emergency accommodation.

In another case, an organisation disclosed the home address of two children to their birth father (who was in prison for raping their mother).

The UK Information Commissioner has called for better training and processes. This includes regular verification of contact information and securing data against unauthorised access.

In 2021, the Australian Information Commissioner and Privacy Commissioner took action against Services Australia^[3] for disclosing a victim-survivor’s new address to her former partner.

The commissioner ordered a written apology and a A$19,980 compensation payment. It also ordered an independent audit of how Services Australia updates contact details for separating couples with shared records.

An earlier case^[4] involved a telecommunications company and the publisher of a public directory.

The commissioner ordered them each to pay $20,000 to a victim of domestic violence whose details were made public, which jeopardised her safety.

More recently, the Energy and Water Ombudsman Victoria reported a case^[5] where an electricity provider inadvertently provided a woman’s new address to her ex-partner. The woman had to buy security cameras for protection. The company has since revised its procedures.

The Energy and Water Ombudsman Victoria has also reviewed complaints^[6] received in 2022-23 related to domestic violence. These include failing to flag accounts of victims who disclosed abuse, as well as potentially unsafe consumer automation and data governance processes.

The Victorian Essential Services Commission accepted a court-enforceable undertaking^[7] from a water company that it would improve processes after allegations its actions put customers affected by family violence at risk.

The commission found the company failed to adequately protect the personal information of two separate customers in 2021 and 2022, by sending correspondence with their personal information to the wrong addresses.

In both cases, the customer had not disclosed their experience of domestic violence. Nevertheless, the regulator noted these “erroneous information disclosures put these customers at risk of harm”.

Australia’s Telecommunications Industry Ombudsman received about 300 complaints^[8] involving domestic violence in 2022-23, with almost two-thirds relating to mobile phones.

Complaints included instances of telcos disclosing the addresses of victim-survivors to perpetrators or of frontline staff not believing victim-survivors. There were also cases of telcos insisting a consumer experiencing family violence contact the perpetrator of family violence. The report noted:

For example, one person was asked by her telco to bring her abusive ex-partner into a store to change her number to her new account.

We’ve also had complaints about telcos disconnecting the services of a consumer experiencing family violence – sometimes at the request of the account holder who is the perpetrator of the violence – despite access to those services being critical to the consumer staying safe.

The Australian Financial Complaints Authority resolved more than 500 complaints^[9] from people experiencing domestic and family violence in 2021-22, including those related to privacy breaches.

References

1. ^{^} The $500 million ATO fraud highlights flaws in the myGov ID system. Here's how to keep your data safe (theconversation.com)
2. ^{^} reprimanded (ico.org.uk)
3. ^{^} took action against Services Australia (www.austlii.edu.au)
4. ^{^} earlier case (www.oaic.gov.au)
5. ^{^} case (www.ewov.com.au)
6. ^{^} reviewed complaints (www.ewov.com.au)
7. ^{^} accepted a court-enforceable undertaking (www.esc.vic.gov.au)
8. ^{^} 300 complaints (www.tio.com.au)
9. ^{^} resolved more than 500 complaints (www.afca.org.au)
10. ^{^} new national rules (www.aemc.gov.au)
11. ^{^} mandatory, uniform and enforceable rules (www.tio.com.au)
12. ^{^} said (www.oaic.gov.au)
13. ^{^} review of the Privacy Act (www.ag.gov.au)