Survivor Data Rights
Survivor data rights are the specific data protection entitlements held by individuals who have experienced violence, abuse, trafficking, or exploitation and whose information is processed within protection and safeguarding systems. These rights derive from general data protection frameworks such as GDPR, but their application requires adaptation to account for safety risks, ongoing investigations, third-party protection, and the power dynamics inherent in humanitarian and safeguarding relationships. Unlike standard data subject rights exercised in commercial contexts, survivor rights must balance informational self-determination against the potential for rights exercise to cause harm to the survivor, to other affected individuals, or to the integrity of protection processes.
- Survivor
- An individual who has experienced violence, abuse, trafficking, or exploitation and whose personal data is processed within protection, safeguarding, or case management systems. The term “survivor” is preferred over “victim” in protection contexts to emphasise agency and resilience.
- Data controller
- The organisation determining the purposes and means of processing survivor data. In protection contexts, this is the organisation operating the case management system or providing direct services.
- Protection caseworker
- Staff member responsible for direct service delivery and case management. The primary point of contact for survivors exercising data rights.
- Third-party data
- Information about individuals other than the survivor contained within case records. Includes perpetrator information, witness statements, and family member details.
Rights Framework
Survivor data rights operate within the broader framework of data protection law but require specific safeguards and limitations that standard data subject rights do not contemplate. The core rights remain consistent with GDPR Articles 15-22, but their implementation mechanisms differ substantially when applied to protection data.
The right of access permits survivors to obtain confirmation of whether their data is being processed and, where applicable, to receive a copy of that data. In protection contexts, access requests engage additional considerations absent from commercial contexts: case records contain third-party information that cannot be disclosed without consent; perpetrator details that could enable contact or retaliation; and professional assessments whose disclosure could undermine the therapeutic relationship or compromise safety planning.
The right to rectification enables survivors to correct inaccurate data and complete incomplete data. Protection records present challenges because they contain contemporaneous notes of disclosures, professional observations, and third-party reports. A survivor’s current account of events may differ from earlier disclosures without either being factually inaccurate. The record of what was disclosed at a particular time has evidential value independent of its current accuracy.
The right to erasure, commonly called the right to be forgotten, allows survivors to request deletion of their data under specified circumstances. Protection contexts complicate this right because case records serve functions beyond the individual case: they establish patterns of perpetrator behaviour across multiple survivors, provide evidence for prosecutions, and document organisational response for regulatory purposes.
The right to data portability enables survivors to receive their data in a structured, machine-readable format and to transmit that data to another controller. For survivors moving between service providers or jurisdictions, portability supports continuity of care. The right applies only to data provided by the survivor and processed by automated means on the basis of consent or contract.
Right of Access
The right of access entitles survivors to obtain from the data controller confirmation of whether their personal data is being processed, access to that data, and supplementary information about the processing. Requests must be fulfilled within 30 calendar days of receipt, with a single 60-day extension permitted where requests are complex or numerous. No fee applies for the first copy; reasonable administrative charges may apply for additional copies.
Scope of Accessible Information
| Information Category | Included in Access | Excluded from Access |
|---|---|---|
| Survivor’s own disclosures | Full text of recorded disclosures | None |
| Demographic and contact data | All data provided by survivor | None |
| Case notes by staff | Professional observations about survivor | Third-party information within notes |
| Risk assessments | Conclusions and recommendations | Source information identifying third parties |
| Safety plans | Plans developed with survivor | Intelligence from external sources |
| Referral records | Dates, destinations, outcomes | Detailed information from receiving agencies |
| Third-party reports | Existence of reports (redacted) | Content identifying reporters |
| Perpetrator information | Existence of perpetrator records | Details enabling identification or contact |
| Inter-agency communications | Communications about survivor’s case | Content revealing third-party sources |
Response Format
Access responses must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. For protection data, this requires presenting information in a manner that survivors can understand without legal or technical expertise while maintaining the integrity of professional records.
+------------------------------------------------------------------+| ACCESS RESPONSE STRUCTURE |+------------------------------------------------------------------+| || Section 1: Summary || +------------------------------------------------------------+ || | - What data we hold about you | || | - Why we hold it (legal basis) | || | - Who we have shared it with | || | - How long we will keep it | || +------------------------------------------------------------+ || || Section 2: Your Data || +------------------------------------------------------------+ || | Category A: Information you provided | || | [Full disclosure - no redactions] | || +------------------------------------------------------------+ || | Category B: Our records about your case | || | [Redactions applied - see key] | || +------------------------------------------------------------+ || | Category C: Information from others | || | [Existence confirmed - content redacted] | || +------------------------------------------------------------+ || || Section 3: Redaction Key || +------------------------------------------------------------+ || | [BLACK] - Third party personal data | || | [GREY] - Information that could compromise safety | || | [HASH] - Legal privilege or ongoing investigation | || +------------------------------------------------------------+ || || Section 4: Your Rights || +------------------------------------------------------------+ || | - How to request rectification | || | - How to request erasure | || | - How to complain | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Figure 1: Structure of access response for protection data showing mandatory sections and redaction approach
Exemptions to Access
Data protection law permits restriction of the right of access where disclosure would adversely affect the rights and freedoms of others, prejudice ongoing investigations, or compromise important objectives of public interest. In protection contexts, these exemptions apply in specific circumstances.
Third-party rights constitute the most frequent basis for restricting access. Case records contain information about perpetrators, witnesses, family members, and other survivors whose data cannot be disclosed without their consent or a legitimate basis. Where third-party data is inextricably linked with the survivor’s data, the organisation must redact or summarise to protect third-party rights while maximising survivor access.
Safety concerns justify restricting access where disclosure would create risk of harm to the survivor or others. An organisation holding intelligence that a perpetrator monitors a survivor’s communications may restrict access to prevent the survivor from inadvertently revealing that intelligence. This exemption requires documented risk assessment and applies to specific information, not wholesale denial of access.
Ongoing investigations, whether internal safeguarding investigations or external criminal proceedings, may justify temporary restriction where disclosure would prejudice the investigation’s outcome. This exemption is time-limited and requires reassessment at regular intervals.
| Exemption | Legal Basis | Application in Protection Contexts | Duration |
|---|---|---|---|
| Third-party rights | GDPR Art. 15(4) | Perpetrator data, witness statements, other survivors | Permanent unless consent obtained |
| Crime prevention | GDPR Art. 23(1)(d) | Information that could enable perpetrator evasion | Until risk eliminated |
| Legal proceedings | GDPR Art. 23(1)(f) | Evidence in active prosecutions | Until proceedings concluded |
| Regulatory functions | GDPR Art. 23(1)(h) | Regulatory investigation into organisation | Until investigation concluded |
| Survivor safety | GDPR Art. 23(1)(i) | Intelligence about perpetrator surveillance | Until threat assessment revised |
Right to Rectification
Survivors hold the right to obtain rectification of inaccurate personal data and completion of incomplete personal data. This right operates differently in protection contexts than in commercial contexts because protection records serve multiple functions that pure accuracy does not fully address.
Factual Data Rectification
Demographic information, contact details, and similar factual data follow standard rectification procedures. Where a survivor identifies an error in their recorded name, date of birth, address, or similar information, the organisation corrects the record within 30 days. The original incorrect data may be retained with annotation for audit purposes but must be clearly marked as superseded.
Narrative Record Rectification
Case notes, disclosure summaries, and professional observations present more complex rectification questions. A survivor may dispute the accuracy of how their disclosure was recorded, but the contemporaneous record of what the survivor said at a particular time has independent evidential value. The caseworker’s professional observations and assessments represent the caseworker’s judgment at that time, not statements of objective fact amenable to simple correction.
The rectification framework for narrative records distinguishes between:
Transcription errors occur where the record incorrectly captures what the survivor actually said. If a survivor disclosed abuse at age 8 but the record states age 18, this is a factual error warranting correction. The correction appends to the original record with annotation explaining the error and correction date.
Disputed accounts arise where the survivor’s current recollection differs from the recorded disclosure. A survivor may now recall events differently than described in initial disclosure. Both accounts may be accurate representations of what the survivor believed at the respective times. The appropriate response adds the survivor’s current account to the record without deleting the original, as both have evidential value.
Professional assessments reflect the caseworker’s judgment at the time of recording. A risk assessment concluding “high risk of repeat victimisation” represents professional opinion, not a statement about the survivor that the survivor can unilaterally correct. The survivor can request that their disagreement with the assessment be recorded alongside it.
+------------------------------------------------------------------------------------+| RECTIFICATION DECISION FLOW |+------------------------------------------------------------------------------------+| || Rectification Request || | || v || +------------------------+ || | What type of data? | || +------------------------+ || | | || +----------+ +----------+ || | | || v v || +--------------+ +--------------+ || | Factual data | | Narrative | || | (Name, DOB, | | records | || | Address) | | | || +------+-------+ +------+-------+ || | | || v v || +--------------+ +------------------------------+ || | Verify error | | Categorise issue | || | exists | +------------------------------+ || +------+-------+ | | | || | +------+ | +------+ || +------+------+ | v | || | | v +-----------+ v || +-------+ +-------+ +----------+ | Disputed | +-----------+ || | Error | | No | | Transcr. | | account | | Prof. | || | found | | error | | error | +-----+-----+ | Assess. | || +---+---+ +---+---+ +----+-----+ | +-----+-----+ || | | | v | || v v v +-----------+ v || +---------+ +----------+ +----------+ | Add cur. | +----------+ || | Correct | | Inform | | Correct | | account | | Record | || | record | | survivor | | w/ annot | +-----------+ | disagreem| || +---------+ +----------+ +----------+ +----------+ || |+------------------------------------------------------------------------------------+Figure 2: Decision flow for survivor rectification requests showing different pathways for factual data versus narrative records
Rectification Timeline and Evidence
| Request Type | Verification Required | Maximum Response Time | Record Retention |
|---|---|---|---|
| Factual correction | Identity verification only | 30 days | Original retained with annotation |
| Transcription error | Review of original notes | 30 days | Original retained with correction appended |
| Disputed account | None (survivor’s account accepted) | 30 days | Both accounts retained |
| Assessment challenge | Documented disagreement | 30 days | Assessment retained with survivor’s view |
Right to Erasure
The right to erasure permits survivors to obtain deletion of their personal data in specified circumstances. In protection contexts, this right engages competing interests that constrain its application more than in commercial settings.
Grounds for Erasure
Survivors may request erasure where:
The data is no longer necessary for the purposes for which it was collected. A survivor whose case closed 5 years ago and who has had no further contact may request erasure on this ground. The organisation must assess whether retention remains necessary for legitimate purposes beyond the original case.
The survivor withdraws consent and no other legal basis supports continued processing. Where consent formed the sole basis for data collection, withdrawal requires erasure unless another basis applies. In protection contexts, public interest, legal obligation, or vital interests often provide alternative bases that survive consent withdrawal.
The survivor objects to processing and no overriding legitimate grounds exist for continued processing. The balancing test considers the organisation’s legitimate interests against the survivor’s interests, rights, and freedoms. Documentation of perpetrator behaviour patterns across cases may constitute overriding legitimate grounds.
The data was processed unlawfully. Processing that exceeds the stated purposes, lacks a legal basis, or violates data protection principles requires erasure without the balancing tests applicable to other grounds.
Restrictions on Erasure
Protection data is frequently subject to restrictions that prevent erasure notwithstanding a valid request. These restrictions operate as exemptions to the erasure right rather than discretionary refusals.
Legal obligation requires retention where statute, regulation, or court order mandates preservation of records. Safeguarding regulations in many jurisdictions require retention of case records for specified periods. The organisation cannot erase data that it is legally obligated to retain.
| Jurisdiction | Retention Requirement | Legal Basis |
|---|---|---|
| England and Wales | 75 years from birth for child protection | Working Together 2023 |
| Scotland | 100 years from birth for child protection | National Guidance for Child Protection |
| Republic of Ireland | 75 years from birth for child protection | Children First Act 2015 |
| EU member states | Varies by member state, typically 10-30 years | National transposition of GDPR |
Legal claims justify retention where data is necessary for the establishment, exercise, or defence of legal claims. Protection records may be relevant to future civil claims by survivors, criminal prosecutions of perpetrators, or regulatory proceedings against organisations. This basis requires periodic reassessment of whether legal proceedings remain reasonably foreseeable.
Public interest in the area of public health, including protection against serious cross-border threats, permits retention. Epidemiological use of anonymised or pseudonymised protection data falls within this basis.
Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes may override erasure requests where appropriate safeguards exist. Pseudonymised protection data used for research into prevalence, outcomes, or intervention effectiveness falls within this basis.
Partial Erasure
Where complete erasure is not possible due to restrictions, survivors retain the right to request erasure of data not subject to restrictions. An organisation retaining case records under legal obligation may nonetheless erase contact details, photographs, or other data not essential to the retained record.
The response to an erasure request that cannot be fully fulfilled must specify which data has been erased, which data has been retained, the legal basis for retention, and the expected retention period. Survivors may request review of retention decisions at intervals, particularly where the basis was legal claims that may have become time-barred.
Right to Data Portability
Survivors hold the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right supports survivors transitioning between service providers, moving to different jurisdictions, or consolidating information about their own cases.
Scope of Portable Data
Portability applies only to data that meets three criteria: provided by the survivor; processed by automated means; and processed on the basis of consent or contract. These criteria significantly limit portable data in protection contexts.
Data provided by the survivor includes disclosures, personal information submitted during intake, communications from the survivor, and any other information the survivor actively furnished. It excludes professional observations, risk assessments, case notes about the survivor, and information obtained from third parties.
Automated processing requires data held in electronic form that can be extracted from information systems. Paper records fall outside portability, as do data points that exist only as elements of unstructured text requiring manual extraction.
Consent or contract basis excludes data processed on public interest, legal obligation, or legitimate interest grounds. Much protection data is processed on bases other than consent, limiting portability scope.
| Data Type | Provided by Survivor | Automated | Consent/Contract Basis | Portable |
|---|---|---|---|---|
| Intake form responses | Yes | Yes | Typically yes | Yes |
| Disclosed narrative (transcribed) | Yes | Yes | Typically yes | Yes |
| Contact details | Yes | Yes | Yes | Yes |
| Caseworker notes | No | Yes | Varies | No |
| Risk assessments | No | Yes | Public interest | No |
| Referral records | No | Yes | Varies | No |
| Third-party reports | No | Yes | Varies | No |
| Safety plans | Partial | Yes | Varies | Survivor-provided elements only |
Format Requirements
Portable data must be provided in a structured, commonly used, machine-readable format. Protection organisations must determine appropriate formats for survivor data portability.
For structured intake data, CSV or JSON formats enable transmission to receiving organisations with different systems. The file must include field definitions enabling the receiving organisation to interpret the data.
For narrative disclosures, plain text or PDF/A format preserves content while remaining accessible. Machine-readable formats should not sacrifice readability given that narrative content is primarily human-interpreted.
+------------------------------------------------------------------+| PORTABILITY PACKAGE STRUCTURE |+------------------------------------------------------------------+| || /survivor_data_export_[ID]_[DATE]/ || | || +-- manifest.json || | { || | "export_date": "2024-11-16", || | "data_controller": "Organisation Name", || | "survivor_id": "[anonymised reference]", || | "files_included": [...] || | } || | || +-- intake_data.csv || | [Structured fields from intake forms] || | || +-- disclosures/ || | +-- disclosure_2024-01-15.txt || | +-- disclosure_2024-03-22.txt || | [Narrative records of survivor's own words] || | || +-- communications/ || | +-- survivor_emails.mbox || | [Communications from survivor] || | || +-- README.txt || [Explanation of contents and field definitions] || |+------------------------------------------------------------------+Figure 3: Standard structure for survivor data portability package showing file organisation and content types
Transmission to Receiving Controller
Where technically feasible and requested by the survivor, the organisation must transmit portable data directly to a receiving controller. This applies where the survivor is transferring to a new service provider and requests direct transmission.
Direct transmission requires:
- Written request from survivor specifying receiving controller
- Verification that receiving controller can accept transmission
- Secure transmission channel (encrypted, authenticated)
- Confirmation of receipt from receiving controller
- Notification to survivor that transmission is complete
The originating organisation retains responsibility for transmission security but not for the receiving organisation’s subsequent processing. Survivors should be informed that once data is transmitted, the receiving organisation’s policies govern its treatment.
Rights During Ongoing Cases
Active protection cases present additional considerations for rights exercise because case records are in active use, safety planning may be affected by information disclosure, and the survivor-caseworker relationship may be impacted by formal rights requests.
Informal Access During Active Cases
Survivors should not need to submit formal access requests to understand their own cases. Good practice provides ongoing informal access through:
Case summaries shared with survivors at regular intervals, presenting the current state of their case in accessible language. Summaries exclude third-party data and sensitive intelligence but provide the survivor with understanding of their case status.
Review meetings where caseworkers discuss case records with survivors, explaining assessments, plans, and recorded information. Survivors can request corrections or additions during these meetings without formal process.
Survivor-held records where appropriate, giving survivors copies of key documents as they are created rather than requiring retrospective access requests.
Formal access requests remain available where informal access is insufficient, where the survivor has left services and no longer has caseworker contact, or where the survivor requires a formal response for external purposes.
Safety Assessment Before Disclosure
All rights responses in active cases require safety assessment before disclosure. A survivor requesting access may be subject to coercive control where a perpetrator is directing the request. Responding without assessment could provide perpetrators with information about witnesses, safety plans, or organisational intelligence.
Safety assessment examines:
Request circumstances including whether the request arrived through normal channels, whether the survivor initiated contact, and whether the request language matches the survivor’s usual communication style.
Current risk context including recent perpetrator contact, changes in living situation, and any intelligence about perpetrator surveillance.
Disclosure content identifying any information that could compromise safety if shared with the perpetrator, including witness identities, safe accommodation locations, or intelligence sources.
Where safety concerns exist, the organisation contacts the survivor through a verified secure channel to confirm the request’s authenticity and discuss safe methods for providing the response. This may include collecting the response in person, using a secure email address, or delaying response until safety circumstances change.
Impact on Case Management
Rights exercise during active cases affects the caseworker-survivor relationship and ongoing case management. Formal requests may indicate breakdown in informal communication that should be addressed. Response preparation diverts caseworker time from direct service delivery.
Organisations should:
Treat rights requests as opportunities to assess whether informal access is functioning adequately. A survivor who feels the need for formal processes may not be receiving sufficient information through normal case management.
Separate rights response preparation from case management where possible, avoiding situations where caseworkers feel defensive about records they created. Data protection staff should coordinate responses with caseworker input rather than caseworkers preparing their own responses.
Discuss rights exercise with survivors where appropriate, understanding the survivor’s objectives and whether formal processes best serve those objectives. Survivors may not realise that informal processes can achieve their goals more quickly.
Response Procedures
This section provides lookup reference for response requirements across different request types.
Response Timeframes
| Request Type | Initial Response | Extension Available | Maximum Total Time |
|---|---|---|---|
| Access | 30 days | 60 days | 90 days |
| Rectification | 30 days | 60 days | 90 days |
| Erasure | 30 days | 60 days | 90 days |
| Portability | 30 days | 60 days | 90 days |
| Restriction | Without undue delay | None | Not specified |
| Objection | Without undue delay | None | Not specified |
Extensions require notification to the survivor within the initial 30-day period, with explanation of why extension is necessary. Complexity of the request or volume of requests from the same survivor justify extension.
Identity Verification
Before responding to any rights request, the organisation must verify the requester’s identity to prevent disclosure to unauthorised parties. Verification must be proportionate to the sensitivity of the data and the risk of fraudulent requests.
| Verification Level | When Required | Acceptable Methods |
|---|---|---|
| Basic | Low-sensitivity data, established contact | Confirmation from known email/phone |
| Standard | Most protection requests | Government ID, security questions, in-person verification |
| Enhanced | High-risk cases, dormant cases | Multi-factor verification, caseworker confirmation, in-person with ID |
Verification should not create barriers to legitimate access. Survivors who have fled violence may lack identification documents. Alternative verification methods include confirmation of case details only the survivor would know, verification by a trusted third party known to the organisation, or video call verification where documents are unavailable.
Request Logging
All rights requests must be logged regardless of outcome. The log serves audit purposes, enables identification of patterns (such as repeated requests from perpetrators posing as survivors), and supports regulatory reporting.
| Field | Required | Purpose |
|---|---|---|
| Request ID | Yes | Unique identifier for tracking |
| Date received | Yes | Timeframe compliance |
| Requester identity | Yes | Verification record |
| Request type | Yes | Classification |
| Case reference | Yes | Link to case records |
| Verification method | Yes | Audit trail |
| Response date | Yes | Timeframe compliance |
| Outcome | Yes | Fulfilled/partially fulfilled/refused |
| Exemptions applied | If applicable | Justification record |
| Appeal received | If applicable | Escalation tracking |
Comparison with Standard Data Subject Rights
Survivor data rights derive from the same legal framework as standard data subject rights but differ in application due to the protection context.
+-------------------------------------------------------------------+| SURVIVOR RIGHTS VS STANDARD DATA SUBJECT RIGHTS |+-------------------------------------------------------------------+| || RIGHT OF ACCESS || +-----------------------------+-----------------------------+ || | Standard DSR | Survivor Rights | || +-----------------------------+-----------------------------+ || | Full disclosure default | Redaction common (third | || | | party, safety concerns) | || +-----------------------------+-----------------------------+ || | Identity verification | Enhanced verification | || | proportionate | due to safety risks | || +-----------------------------+-----------------------------+ || | Electronic delivery normal | Secure delivery methods | || | | required, may be in-person | || +-----------------------------+-----------------------------+ || || RIGHT TO RECTIFICATION || +-----------------------------+-----------------------------+ || | Standard DSR | Survivor Rights | || +-----------------------------+-----------------------------+ || | Inaccuracy corrected | Narrative records | || | straightforwardly | annotated not replaced | || +-----------------------------+-----------------------------+ || | Original deleted or | Original retained for | || | clearly superseded | evidential purposes | || +-----------------------------+-----------------------------+ || || RIGHT TO ERASURE || +-----------------------------+-----------------------------+ || | Standard DSR | Survivor Rights | || +-----------------------------+-----------------------------+ || | Erasure common where | Retention common due to | || | grounds met | legal obligations | || +-----------------------------+-----------------------------+ || | Retention exceptions | Retention periods often | || | relatively narrow | measured in decades | || +-----------------------------+-----------------------------+ || || RIGHT TO PORTABILITY || +-----------------------------+-----------------------------+ || | Standard DSR | Survivor Rights | || +-----------------------------+-----------------------------+ || | Most personal data | Limited to survivor- | || | portable | provided data only | || +-----------------------------+-----------------------------+ || | Automated formats | Narrative content may | || | standard | require accessible formats | || +-----------------------------+-----------------------------+ || |+-------------------------------------------------------------------+Figure 4: Comparison of survivor rights implementation with standard data subject rights showing key differences in each right