Statement in response to press queries about alleged data breaches

I have today been notified by journalists of a suggestion that “all the submissions to the review were inadvertently shared with a third party”. I can unequivocally state that this is untrue. Submissions to the Review have been provided on standard form Questionnaires. Nobody has had access to the Questionnaire submissions sent to the Review, beyond myself and my two assistants. I am not aware of any breach of the security of the system on which these submissions are held – and given the security measures in place would not expect there to have been any such breach.

To provide total clarity, the only incident of which I am aware where any information submitted to the Review was inadvertently accessed occurred on 6 December 2024.
  • Individuals who had provided submissions to the Review using the Questionnaires were in addition offered the facility to upload documents to a separate secure sharefile website.
  • One individual was inadvertently provided by me with a link that gave them access to some documents that had been uploaded by another individual, which they discovered on logging on to the website. Very properly, I was immediately informed of this when the person accessing the documents realised that they did not relate to their case.
  • No other individual’s documents were accessible.
  • The documents were removed by me from the sharefile site immediately. The person accessing them (a practising solicitor) confirmed that they had not been downloaded or shared by them and was requested that the information should be treated as confidential.
  • The submissions made by the two individuals concerned had no factual overlap. The two individuals are not aware of each other’s identities.
  • The person whose documents had been accessed was immediately informed and provided with a full explanation of what had occurred and the immediate steps to secure the confidentiality of their information - and responded that they had “no concerns regarding this in the circumstances identified”. They did not seek any further information in relation to this.

Throughout the Review my assistants and I have put in place measures designed to protect the confidentiality of all information provided to us. The incident identified above was limited to one individual mistakenly having brief access to documents submitted by another, but did not download, copy or share those documents. The individual whose documents were accessed was expressly satisfied with the measures taken in relation to this unfortunate incident. Having considered the substance and nature of the material concerned and taken advice and considered my professional duties, I concluded that I was not required to report the incident to the Information Commissioner’s Office. I informed the Group of Experts and Stakeholders of this incident, and measures taken in response, at our next meeting on 17 December 2024. I do not believe that there has been any other inadvertent disclosure of any other information submitted to the Review.

All news articles

Previous article

Arrangements for publication of the Review report on Wednesday 24 September 2025