The Church of England’s Data Breach: Prayer is not Preparation

Incident Summary: What Went Wrong?

The Church of England suffered a significant data breach involving safeguarding information about survivors of church abuse. The breach occurred via a third-party law firm, with root causes traced to insufficient technical controls, the absence of a robust CRM system, and weak third-party validation processes. This incident has raised major concerns over data protection, privacy, and the organisation’s compliance with the GDPR Prayer is not preparation and there was no excuse for this preventable breach to have taken place.

Leigh Day News, New Statesman, COFE Guildford, RollOnFriday

Five Technical Prevention Measures

1. Implement Access Controls:
   Use strict access controls and role-based permissions. Only authorised staff should have the minimum necessary access to safeguarding data.
2. Adopt a Secure CRM System:
   Introduce a dedicated, encrypted CRM for safeguarding cases, centralising data and making it secure, auditable, and not reliant on ad hoc or email-based record-keeping.
3. Third-Party Security Audits:
   Mandate robust cybersecurity audits and Data Protection Impact Assessments (DPIAs) before onboarding any external legal or data handling vendors.
4. Automated Email Safeguards:
   Use email software that enforces ‘blind carbon copy’ (BCC) by default for mass communications, especially for confidential survivor data.
5. Strong Encryption & Monitoring:
   Encrypt all data in transit and at rest, with continuous monitoring for unauthorised access or suspicious transfers—especially when working with third-party systems.

GDPR Impact: Why This Matters

This breach constitutes a major GDPR incident, as sensitive survivor data was disclosed without consent. Affected individuals can claim compensation for distress and anxiety. The Church and its legal partners must report the breach to the Information Commissioner’s Office, and regulatory scrutiny may follow—including potential fines or censure. Survivors’ data is especially protected, and a clear lack of DPIA and vendor management is likely to be a focus.

Process Improvement Recommendations

• Formal Governance Policy: Establish a policy aligned to GDPR and best practice, covering all staff and vendors handling safeguarding data.
• Vendor Due Diligence: Require GDPR-compliant contracts, ongoing monitoring, and security training for all external partners.
• Incident Response Planning: Create and rehearse robust incident response plans—including regular breach simulations.
• Centralised Case Management:  Use encrypted, auditable systems for all safeguarding cases.
• Safeguarding Data Protection Officer: Appoint a dedicated officer to oversee all safeguarding data activities and third-party relations.

Conclusion

Stronger technical controls, validated third-party processes, and clear administrative procedures are now essential for meaningful safeguarding and true GDPR compliance within the Church of England. These lessons extend to any organisation managing highly sensitive personal data.

For expert guidance on compliance, safeguarding, and technical resilience, contact Jen Stirrup Consulting.