If you need support, please go to Safe Spaces England and Wales. Don’t go to anyone in the Church of England, and especially not a seemingly friendly, affable and receptive Vicar. They will only sustain and further damage any trust that you have, and you are only asking for trouble if you go for help to an organisation that allows such harm. They will prefer to be right than to be loving, and their theology degrees are a masterclass of expediency.
The Church of England’s recent data breaches serve as a stark reminder that even organisations handling the most sensitive personal information can fall victim to preventable security failures. In August 2025, two separate incidents exposed fundamental weaknesses in data protection protocols, affecting some of society’s most vulnerable individuals: abuse survivors and those undergoing safeguarding checks.
These breaches offer critical lessons for any organisation handling sensitive personal data, particularly those serving vulnerable populations. The technical and procedural failures reveal gaps that exist across the Church of England and its engagement of third-parties, making this case study essential reading for data protection professionals.
The recent Makin Report reflects similar recommendations in dozens of previous safeguarding reports over 40-plus years that the Church of England has previously chosen to ignore or disregard. The Church of England set up an Independent Safeguarding Board in 2021, for instance, but it was beset by internal conflicts and was closed in 2023; there has been no tangible movement since then.
The Incidents: When Trust Meets Technical Failure
On August 27, 2025, Kennedys Law LLP, the independent administrator of the Church of England’s Redress Scheme for abuse survivors, accidentally disclosed the email addresses of 194 individuals and law firms in a routine update communication. The breach occurred due to human error when staff failed to use blind carbon copy (BCC) functionality, instead making all recipient email addresses visible to every other recipient. The email was addressed to ‘Dear Prospective Applicant’, making it clear that these 194 individuals had suffered abuse in the Church of England.
This wasn’t an isolated incident. Just ten days earlier, on August 17, 2025, Access Personal Checking Services (APCS), which processes DBS checks for many dioceses and parishes, suffered a cyber attack through their external software supplier Intradev. This breach affected data collected between December 2024 and May 2025, including names, dates of birth, email addresses, postal addresses, National Insurance Numbers, and passport details.
The timing and nature of these incidents highlight a pattern of inadequate technical controls across the Church’s data ecosystem. As one affected survivor’s legal representative noted:
“This breach represents not just a technical failure, but a fundamental breakdown in the duty of care owed to some of society’s most vulnerable individuals.”
It is shocking – but somewhat unsurprising – that the data breach took so long to come to light.
GDPR Impact: More Than Just Regulatory Compliance
The breaches constitute significant incidents under GDPR, particularly given they involve special category data relating to abuse survivors and safeguarding processes. The data is high-risk, and the implications extend far beyond potential regulatory fines:
Immediate GDPR Obligations:
Mandatory reporting to the Information Commissioner's Office (ICO) within 72 hours
Direct notification to affected individuals without undue delay
Demonstration of remedial measures and prevention of future incidents
Comprehensive documentation of the breach and response
Legal Exposure:
Affected individuals may claim compensation for distress caused by the breach. Given the sensitive nature of abuse survivor data, claims for psychological harm and loss of confidentiality are likely. The ICO has previously emphasised that breaches involving religious or safeguarding data can cause “substantial damage or substantial distress,” potentially triggering higher compensation awards.
Regulatory Scrutiny:
The ICO will examine whether Data Protection Impact Assessments (DPIAs) were conducted and whether vendor management practices meet GDPR standards. The involvement of multiple third parties (Kennedys, APCS, Intradev) suggests a complex data processing ecosystem that requires enhanced oversight.
Bishop Philip Mounstephen, former Chair of the Redress Scheme, acknowledged the severity:
“There can be no excuses for this failure. We must do better to protect those who have already suffered so much.”
The Church of England is very good at lip service.
Like the Tin Man, the Cowardly Lion, and the Scarecrow in the Wizard of Oz, the Church of England needs heart, a wisdom, and courage to deal with its safeguarding woes. In the end, it is Toto the dog who pulls back the green curtain to reveal the ‘Wizard’ because it is the little, unseen Toto who has all of these qualities. Abuse victims in the Church of England try to pull back the Church’s green curtain on safeguarding, which takes a heart, wisdom and courage, and there are too many ‘flying monkeys’ for victims to be successful on their own. Hence, regulatory bodies should step in to clean up the mess.
Five Critical Technical Prevention Measures
Based on analysis of these incidents, the Church of England and its third parties should implement proper technical safeguards. It is clear that none of them have the technical chops to have considered these basic items at all.
1. Implement Granular Access Controls
Deploy role-based permissions ensuring only authorised personnel access sensitive data. For safeguarding data, implement the principle of least privilege with regular access reviews and automated de-provisioning when roles change.
2. Adopt Secure, Encrypted CRM Systems
Replace ad hoc email lists and manual processes with dedicated, encrypted case management systems. All safeguarding data should be centralised, with comprehensive audit trails and automatic encryption both at rest and in transit.
3. Mandate Third-Party Security Audits
Require rigorous cybersecurity audits and DPIAs before onboarding external vendors. The APCS incident demonstrates that organisations remain liable for breaches occurring through their supply chain, regardless of where the technical failure originates.
4. Configure Automated Email Safeguards
Implement technical controls that default to BCC for mass communications involving personal data. Email systems should include validation checks preventing accidental disclosure of recipient lists, with mandatory approval processes for sensitive communications.
5. Deploy Comprehensive Encryption and Monitoring
Ensure all data transmission uses end-to-end encryption with continuous monitoring for unauthorised access. Implement real-time alerting for suspicious data transfers, particularly when working with third-party systems.
Process Improvements: Building a Culture of Protection
Technical measures alone are insufficient. Organisations need comprehensive process improvements:
Formal Data Governance Policy: Establish GDPR-aligned policies covering all data handling by internal staff and third parties, with specific protocols for safeguarding data and regular compliance audits.
Enhanced Vendor Due Diligence: Implement GDPR-compliant contracts with ongoing security monitoring and mandatory staff training for all parties managing sensitive data.
Rehearsed Incident Response: Develop and regularly test breach response procedures, including effective message recall capabilities and stakeholder communication protocols.
Centralised Case Management: Deploy unified systems with mandatory encryption, comprehensive audit logging, and role-based access controls for all sensitive information.
Dedicated Safeguarding Data Protection Officer: Appoint specialist roles to oversee data sharing activities and vendor relationships, ensuring alignment with both GDPR requirements and safeguarding best practices.
The Human Cost of Technical Failure
Beyond regulatory compliance, these breaches highlight the human impact of data protection failures. Abuse survivors who trusted the Church with their most sensitive information now face potential re-identification and loss of confidentiality. The psychological impact on individuals who have already experienced institutional failure cannot be understated.
The Church’s response, while swift, reveals the limitations of reactive measures. Kennedys attempted to recall the problematic email but was only partially successful. Prevention must always take precedence over remediation in data protection strategies.
Learning from Data Breach Failure: A Path Forward
The Church of England’s data breaches offer several critical lessons for organisations across all sectors:
Human Error Remains the Greatest Risk: Even well-intentioned staff can cause significant breaches without robust technical safeguards. Systems must be designed to prevent common errors, not merely respond to them.
Third-Party Risk is Organisational Risk: The APCS incident demonstrates that vendor failures become your failures under GDPR. Enhanced due diligence and ongoing monitoring are essential, not optional.
Sensitive Data Requires Enhanced Protection: When handling data about vulnerable populations, standard data protection measures may be insufficient. Special category data demands special care.
Trust, Once Lost, is Difficult to Rebuild: The reputational damage from these breaches extends beyond immediate regulatory consequences, affecting the Church’s ability to serve those who need support most.
Moving Forward: Recommendations for Enterprise Data Protection
For organisations seeking to avoid similar failures, the path forward requires both technical innovation and cultural change:
Invest in Prevention Over Remediation: Implement robust technical controls that prevent human error rather than relying on post-breach damage limitation.
Treat Third-Party Data as Your Own: Extend the same protection standards to all vendors and suppliers handling your data.
Regular Audit and Testing: Conduct comprehensive security assessments and breach simulation exercises to identify vulnerabilities before they’re exploited.
Prioritise Staff Training: Ensure all personnel understand both the technical and ethical implications of data protection failures.
The Church of England’s experience serves as a powerful reminder that data protection is a fundamental duty of care to those who trust organisations with their most sensitive information. In an era where data breaches can cause lasting harm to already vulnerable individuals, there truly can be no excuses for preventable failures.
For organisations serious about protecting sensitive data, the lessons from this case study are clear: robust technical controls, comprehensive staff training, and rigorous vendor management aren’t just best practices. They’re essential safeguards for maintaining the trust that forms the foundation of any service to vulnerable populations.
Cheap, Fast or Good - pick two, or pick none
In a world of ‘good, fast or cheap’, pick two, as the adage goes. The Church of England and third-parties has managed to produce systems that are neither good, fast or cheap.These data breaches show that the Redress Scheme has been done as cheaply as possible; Microsoft Outlook and Google Workspace are not CRM systems. It is clear that the Church of England needs to make sure that a properly manifested technical apparatus is in place for itself and third-parties, along with better processes and personnel training in cybersecurity and common sense measures over data.The Church of England does need proper oversight and independent people to sort out their issues, but they will not allow these sensible measures to happen. Victims are subject to systems that are not designed to protect them; if anything, the incompetence is another weapon, deterring victims from engaging in the Church of England at all. Surprisingly, many people in the Church of England are comfortable with the idea of victims being pushed out of Church; they see victims as being unChristian, unforgiving, and unsalvageable, and not worth the trouble. Their belief in a risen Saviour, who died for all, does not extend to abuse victims.
Faith - or Weaponized Incompetence?
Anglicans believe in a non-interventionist God, while simultaneously holding the conflicting view that it is a hallmark of faith to ‘leave it all to God’. In sum, the conflicting beliefs mean that nothing ever happens or improves, because they believe in ‘leaving it all to God’, a God who will not intervene. This is clear from their approach to safeguarding.
The Church of England refuses to have truly independent safeguarding, despite the strenuous efforts of a few voices who are victims themselves, or the rare Vicars who support victims. The attitude of ‘leave everything to God’ is weaponized incompetence, leaving everything to the NHS, Social Services and the Police while tinkering with broken systems.
What should the Church of England have done to prevent these issues?
Let’s take a look at how they could have prevented these issues. Ultimately, the Church of England will ‘leave it all to God’ so they won’t do anything meaningful. I’m not sure why I’m even bothering to write this post when only people who care about victims and data will read it! That said, I believe in the power to change things for the better, if people listen to its message.
In terms of the Redress Board – it doesn’t exist anymore, so there is no accountability. NST has informed individuals that the Redress Board no longer exists, and that the closing meeting was in May 2025. Going forward will be Archbishops Council managing the contract with Kennedys and the Church of England’s Secretary General William Nye.
Note that the Archbishops Council is an unaccountable body. Instead, they believe that they are accountable to God – a God who does not intervene, and who forgives everything they do or fail to do through negligence and omission. It is pretty much impossible to have a reasonable conversation with people who ignore criticism, which is cast as ‘defending the faith’.
Justice is turned into piety and pride is disguised as steadfast faith. In the Church of England faith, Anglicans believe that they will be forgiven for everything and anything and that their non-interventionist God will restore everything when Jesus’ Kingdom comes.
In practice, this means that Anglicans can do whatever they like, or fail to do anything at all, and they will never be to blame because God will blot out their sin. Like Flat Earthers, sticking vehemently to their point of view which everyone else is supposed to respect. Unlike Flat Earthers, though, these views have real consequences for people, both future and current victims and their families, which will be devastatingly harmful.
What does this mean for faith? A Personal note.
Note: The following content may be triggering for some readers. If you’d prefer a blog post with the technical and practical advice only, please click here.
The Church of England ‘wins’ because people don’t have the stamina to argue with them, not because the Church of England is right. Their congregations don’t seem to think too deeply beyond their church social life and fondant fancies after church. In some sort of perverse Schrödinger’s Cat thought experiment, they seem to hold that ‘the cat might be alright, if we don’t look at it’. In other words, if they ignore their issues long enough, things will sort themselves out eventually. Do nothing, leave it all to a non-interventionist God, and nothing will happen.
The rot at the heart of the Church of England
Humans believe all sorts of things; take Flat Earthers, for example, which has hundreds and thousands of people on its Facebook pages. They have a point about accepting science at face value, although I do not hold Flat Earth views. I do try to respect other people’s beliefs. For me, the problems come in when the beliefs are harmful to other people, and the most vulnerable in particular.
Flat Earthers do not cause any harm to people. On the other hand, too many people in The Church of England believe that abuse victims are bad, not abusing clergy. They believe victims are unsalvageable and unChristian. They believe that victims should forgive clergy, and give them grace due to the heightened spiritual battles that clergy face. They believe that the sins are immediately blotted out (Isaiah 43:25; Colossians 2:14), and the sins did not happen because God has forgiven the sins. For abusers, there is no consequence and it is a cheap forgiveness for sins that cost so much for victims. For victims, they are accused of having an ego because they hold onto sins that God has forgiven.
The Church of England believes that victims aren’t Christians and commit the ‘unforgivable sin’. The central idea comes from Jesus’ words – whoever rejects you, rejects Me. They believe that victims are condemned to Hell because victims speak out against the Church and they do not forgive. In their view, victims therefore rejecting Jesus and that’s one of the unforgivable sins. This sermon sums it up, even though it’s from a different Church but it is a common view.
As vomit-inducing as it seems to me, safeguarding goes against a core concept of the Anglican Christian faith. They think that the Holy Spirit and forgiveness are enough to prevent clergy and Christian men from abusing. The Church of England’s list of banned clergy and tribunal outcomes would suggest otherwise, of course. If you click on these links, please note that the content is distressing; basically, the extent of abuse and the high number of offending clergy will horrify most reasonable people, I should think.
Like Dorothy in the Wizard of Oz, victims are caught in a storm, trying to make their way home to a place of safety. The Church of England does not offer that safe space, and victims are told to forgive or risk losing salvation. If you question it, the attitude is simply put: ‘One person’s bullying is another person’s simple stating of facts.’ That’s the inexorable cruel attitude you are dealing with, and it will be couched in terms of Bible verses. It is like Flat Earth thinking; like some Flat Earthers, there is no halfway or compromise. Perfect rules are applied to imperfect situations when it suits people, but ultimately it is the abusers who are prioritised and there are no harsh words for abusers, only victims. The abusers are given a home, but the victims are not welcome at the altar.
Too many clergy in the Church of England will preach the resurrection of the body, while choosing to defile bodies here on earth. People in the Church will reconcile the conflicting beliefs by proclaiming that Jesus will restore so it doesn’t matter what they do on Earth. They call it ‘radical forgiveness’, which includes immediate absolution of the worst abuses. However, ‘radical forgiveness’ does not stop abuse; if it did, authorities such as the Police, health professionals and social services could all go home, their jobs done. They believe their God offers ‘radical forgiveness’ of abusers, but it is not accompanied by a ‘radical healing’ of their victims. They believe in vicarious redemption ie Jesus pays the price, not Anglicans. In truth, it is victims who pay the price.
Change is not a-coming
For ‘change’, read ‘improvement’. The unchangingness of Anglicanism is seen as A Very Good Thing – but when the lack of change/improvement is indelibly harmful to people, you are faced with a choice. You engage with a Church that is so evidentially opposed to being victim-centred, or to validate and honour an institution that goes against the moral grain of natural justice. The Church isn’t going to change, believing it is true to its faith. For change to come, it has to affect people personally. However, while they believe in vicarious redemption and radical forgiveness, change is not a-coming – as if change is the enemy. There will be no ownership, accountability or responsibility – and you need all three of these concepts when you work with data.
In reality, victims pay the price for sin – not Jesus – and will continue to do so in the name of the Anglican faith. The Church of England and third-parties have combined to fail victims yet again, through inadequate technical guardrails, processes and human error.
Forgiveness does not work to protect anyone from abuse, and never will. There are no happy endings for victims, and no awards or tokens to tell victims that they have courage, a heart, and wisdom.
Parting Note
If victims have an ‘ego’ because they actually do something to protect other people, then I’m sure that’s a criticism that they can live with. It could be viewed as moral courage instead, and it seems to apply only to a handful of clergy, former Synod members who have walked away for reasons that they don’t have to explain to anyone, and people of any, all or no religions who care. The Church of England preached yesterday about ‘For all those who exalt themselves will be humbled, and those who humble themselves will be exalted.’ (Luke 14).
The Church of England need to be more Toto, and have wisdom, courage and a heart. Toto was the least, not the greatest, and it was the little dog who is the hero of the story. It could be said that Toto had an ego(!), and this criticism is leveraged at victims all the time and it isn’t very grown-up, especially when they clearly have work to do.
“Few will have the greatness to bend history itself, but each of us can work to change a small portion of events, and in the total of all those acts will be written the history of this generation. It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope, and crossing each other from a million different centers of energy and daring, those ripples build a current that can sweep down the mightiest walls of oppression and resistance.
Few are willing to brave the disapproval of their fellows, the censure of their colleagues, the wrath of their society. Moral courage is a rarer commodity than bravery in battle or great intelligence. Yet it is the one essential, vital quality for those who seek to change a world that yields most painfully to change. And I believe that in this generation those with the courage to enter the moral conflict will find themselves with companions in every corner of the globe.”
