A woman asked South Wales Police for information about her partner’s history of violence and the force informed him she’d asked, a damning report from the Information Commissioner has revealed. The breach is one of two serious data mistakes the force made for which it was criticised by the watchdog.

The woman’s identity was disclosed to her partner when she applied for information about him in April 2020 under the Domestic Violence Disclosure Scheme (DVDS), also known as Clare’s Law. The partner had previous convictions for violence and sexual assault and was being managed by an officer from South Wales Police who was acting as his offender manager. In this incident the identity of the applicant was disclosed during a conversation between the partner and the offender manager.

The second incident reported happened in February 2020 when a police officer disclosed a woman’s identity after she made an application for information under the Child Sex Offender Disclosure Scheme (CSODS), also known as Sarah’s Law, according to the ICO.

Read more:Bar forced to close after official digs up 1980s planning restriction everyone had forgotten about

The scheme allows parents and guardians to formally request information from the police about a person who has contact with their child. The woman’s identity was disclosed by a police officer who attended a property in the course of safeguarding duties as a result of the CSDOS application.

A spokesman for South Wales Police said the matter was referred to the Independent Office for Police Conduct (IOPC) and ICO. He continued that the force fully accepts the findings and has introduced training.

The ICO stated it was particularly concerned that officers failed to act in a way that would preserve the identity of the data subjects in both incidences. The consequences had the potential to cause significant damage and distress to each of the data subjects.

The ICO’s public findings stated: “In the first incident, the officer concerned…had not received any training in DVDS, and while they had received some training as a sexual offences liaison officer, they had not completed the National MOSOVO course, nor had they received any relevant data protection training since July 2018.

“For the second incident, the evidence provided showed that the police officer had not received relevant data protection training since December 2018 and had not received training in CDODS since 2015. Training had not been kept up to date for the police officers and staff involved and South Wales Police did not ensure that training was available, was taken up, and was fully understood by those involved. If this had been done, the officers and civilian staff are likely to have been more mindful when conducting the interactions with the parties involved in both incidents which could have prevented both incidents from occurring.

“Furthermore, no appropriate guidance or documented process was in place and available for police officers and civilian staff to understand their roles and responsibilities with regard to what could and what could not be communicated to the parties involved, especially in respect of instances where MAPPA and DVDS overlap. These faults led to personal information being divulged in each of the incidents that resulted in distress to the data subjects concerned.”

The ICO considered how South Wales Police underwent an ICO Audit in September 2019. This audit noted that despite having nationally recognised information governance training, there was no formal training programme in place.

The audit report suggested that this may lead to officers and staff not being aware of their responsibilities and increased the risk of a data breach taking place. Therefore, South Wales Police “was aware of improvements that were required” in regards to training, but failed to ensure the two officers involved in the incidents had been provided with appropriate training, the ICO stated.

As a result, South Wales Police was formally reprimanded for infringements of Section 40 Part 3 of the Data Protection Act 2018. Section 40 states: “Data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, ‘appropriate security’ includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).”

The commissioner made three recommendations to South Wales Police to improve its compliance with the Data Protection Act. The first stated that the force should implement all recommendations made in the IOPC report. The second stated that the force should ensure that lines of communication are clear so that all police officers and civilian staff are aware of their responsibilities when dealing with disclosures. The final recommendation stated that the force should consider a review of its data protection reporting procedures, and what constitutes a data protection issue, to ensure that all future incidents are reported correctly and within the usual 72-hour timeframe.

A spokesman for South Wales Police said: “South Wales Police received a complaint in 2020 raising serious concerns about two applications made under the Domestic Violence Disclosure Scheme (Clare’s Law).

“The matter was investigated and referred to the Independent Office for Police Conduct and Information Commissioner’s Office to ensure it received the necessary independent oversight.

“We fully accept the findings of the ICO investigation and have already introduced training to ensure that our staff and officers have the correct level of knowledge and understanding to ensure we meet the requirements of data protection legislation when making disclosures under Clare’s Law.” According to the force, the issue refers to two applications out of the hundreds of disclosure applications the force deals with each year.

Read next: