Organisations must do more to support people affected by data breaches, says ICO
Nearly 30 million people in the UK have experienced a data breach, according to the Information Commissioner’s Office, with 55% of UK adults saying they have had their data lost or stolen.
However, 25% said they received no support from the organisations responsible and 32% found out through the media rather than from the organisation itself.
‘Empathy & action’
The Information Commissioner’s Office has published new guidance to help organisations in their communications with people following a breach. It reminds organisations that data protection is about people, first and foremost, and calls for “empathy and action” when working with vulnerable people who have experienced a data breach.
Advertisement
To some organisations, it says, a data breach ‘might seem like a temporary setback – something that can be patched up with technical fixes and compliance reviews. But from the perspective of individuals – especially those in vulnerable situations – a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate’.
It adds that organisations have a role to stop this ripple effect in someone’s life from spreading further.
ICO guidance
In the event of a data breach, the ICO says organisations and their frontline colleagues should:
- Promptly assess the risks to the individuals involved, including your reporting and notification duties.
- Acknowledge what has happened with the person affected by a breach.
- Be human and accessible in their response and commit to making sure it doesn’t happen again.
- Share the ICO’s guidance with people affected by a breach.
- Share the ICO’s toolkit of resources with staff to help change the culture and ensure that empathy is at the heart of their response.
The ICO’s resources can be found here.
In an article published alongside the figures on data breaches, Information Commissioner John Edwards said that people in vulnerable situations – such as survivors of domestic abuse and those living with long-term health conditions – are often disproportionately affected.
He added:
“There are two important things I need organisations to understand: empathy and action. You have a role to stop the negative ripple effect in someone’s life from spreading further. It is vitally important to acknowledge what has happened, be human in your response and commit to making sure it doesn’t happen again.
“We trust organisations with some of the most sensitive personal information imaginable, yet these data breaches continue to happen. This is not just an admin error – it is about people. When data is mishandled, it can have serious and long-lasting consequences, particularly for people in vulnerable situations. We need organisations across the country to do better.”
Adam Freedman, Policy, Research & Influencing Manager at National AIDS Trust, who worked with the ICO on ensuring that the harms of personal HIV data breaches are recognised and understood said:
“The stigma and discrimination experienced by people living with HIV is compounded by the additional distress caused by unlawful data breaches. We welcome the new guidance provided by the ICO and urge organisations to consider the very real human impact of mishandling someone’s personal information.”
The research was conducted by Savanta on behalf of the ICO, and saw 5,533 members of the UK public surveyed earlier in the year.