- This story was updated on 26 April 2018; please see final paragraph
The Information Commissioner’s Office is considering what action to take after Oxfam accidentally released details that enabled the whistleblowers in the Haiti sexual exploitation scandal to be identified.
The ICO confirmed it had investigated the aid charity after the data breach, which took place in February and was reported by Oxfam itself to both the ICO and the Charity Commission.
Breaches of data regulations can lead to fines of up to £500,000 in the most extreme cases and the people responsible facing criminal prosecution.
In February, The Times newspaper revealed that, in 2011, seven Oxfam employees in Haiti had been quietly sacked or allowed to resign after an investigation by the charity of allegations of sexual exploitation, bullying and intimidation.
Oxfam failed to fully report the nature of its investigation to the commission, and many of the men involved went on to secure similar jobs at other aid organisations.
In response to the story in February, Oxfam made a copy of its report on the incident publically available, but in the first version that was sent out the job titles of those involved had not been properly redacted, enabling them to be identified.
The report revealed details of those who were sacked or quit during investigation, but the details of witnesses and whistleblowers were also exposed, leading to a death threat being received by one of those people, according to The Times.
A spokeswoman for Oxfam said: "In order to be as transparent as possible about the decisions made during our investigation into sexual misconduct by some former Oxfam staff in Haiti, we published a redacted copy of our final internal investigation report from 2011 on 19 February.
"Unfortunately, due to a technical error the report was not securely redacted when it was first circulated. We apologise for this mistake."
She said the charity had taken immediate action to correct the error, sending out a more thoroughly redacted version, and reported the breach to the ICO and the Charity Commission.
She said anyone who could potentially be identified because of the breach had been informed.
The charity last night contacted all organisations that received a copy of the improperly redacted report, including Third Sector, asking them to delete the data.
The ICO can impose fines of up to £500,000 for breaching the Data Protection Act, or can order the charity to take particular actions or conduct audits to improve its data management.
The Data Protection Act will next month be superseded by the General Data Protection Regulation, which will introduce stricter rules and more stringent penalties for those who break them.
The ICO spokeswoman said: "We have completed our investigation and we are considering our regulatory options."
- The story originally said the names of the whistleblowers had accidentally been revealed by Oxfam when it first published its report when in fact it was their job titles that had not been properly redacted