Updated 29 August
As mentioned in today’s Opinion article, the Redress Scheme that was recently approved by General Synod has suffered from a major data breach. The Church of England has issued this statement:
Redress Scheme data breach by Kennedy’s Law LLP which is copied in full below.
We have been made aware of a deeply regrettable data incident involving the independent Redress Scheme administered by Kennedys Law LLP.
This incident resulted in the unintended disclosure by Kennedys Law of email addresses belonging to individuals who had registered for updates on the Redress Scheme.
First and foremost, our focus is on those affected. We recognise the distress this has caused, particularly for survivors who trusted the scheme to handle their information with care and confidentiality.
While the Church of England is not the data controller for the Redress Scheme and does not hold or manage the data in question, we are nonetheless profoundly concerned. We are in discussions with Kennedys to understand how this breach occurred and to ensure robust steps are taken to prevent anything similar from happening again.
Kennedys has taken full responsibility for the incident and is contacting all those affected directly to apologise and offer support. They have reported the breach to the Information Commissioner’s Office and are investigating the circumstances thoroughly.
This should not have happened. We will continue to monitor the situation closely and support efforts to restore trust and confidence.
Questions or concerns in relation to this data breach can be directed to KennedysDataProtectionOfficer@kennedyslaw.com
Finding support
If you have been impacted by this there are a number of organisations who can offer support:
Safe Spaces is a free and independent support service for anyone who has experienced abuse in relation to the Church of England, the Church in Wales, or the Catholic Church of England and Wales.
There are Safeguarding Advisers in every Church of England diocese across the country. Details can be found using our Diocesan Safeguarding Teams map which links to relevant contact information in each area.
Additional support services are listed here.
If you would like to talk to someone within the Church of England please email redress@churchofengland.org
Statement from Kennedys Law: Published 27 August 2025
Regrettably on Tuesday evening, a message was sent from law firm, Kennedys, to 194 individuals and law firms who had registered to receive updates in relation to the Church of England Redress scheme. Due to human error, the email displayed the email addresses making them visible to all recipients. No further personal details of individuals were shared. Attempts to recall the message were only partially successful.
Kennedys has been working with the Church of England since March 2024 as its independent Scheme Administrator to help it develop further and manage its National Redress Scheme for victims and survivors of Church-related abuse. This was approved by the General Synod of the Church of England in July paving the way for the scheme to open for redress applications.
Kennedys is deeply sorry for the hurt and concern caused to everyone affected by this significant error and accepts full responsibility. We have contacted everyone who received the message and have reported the incident to the Charity Commission, the Information Commissioner’s Office and the Solicitor’s Regulatory Authority. We will fully comply with any investigations.
Additionally, we have launched a full internal investigation to understand how this could have occurred and will incorporate any lessons learnt into our procedures immediately.
We understand the significant impact this will have on those affected for which we apologise unreservedly. We remain committed to supporting victims and survivors of Church of England-related abuse to secure the financial redress, therapeutic, spiritual and emotional support, acknowledgement of wrongdoing on the part of the Church, apology and other forms of bespoke redress under this scheme. Questions or concerns in relation to this data breach can be directed to KennedysDataProtectionOfficer@kennedyslaw.com
Updates
This letter was issued on Thursday: An open letter from the Bishop of Winchester
And this was issued by Kennedys, on the front page of the Redress Scheme website, and is copied below.
Redress Church of England
Kennedys data breach
Published 28 August 2025
I am a Partner at the law firm Kennedys, and I have been working with the Church of
England to develop the Redress Scheme.
I know you will already be aware of the unfortunate incident earlier this week in which an email was sent to people who had registered to receive updates in relation to the Redress Scheme. Due to human error and in breach of firm standards, the email displayed the email addresses of all recipients. I want to reassure you that no further personal details of individuals, or information relating to those individuals, was shared.
I want to take this opportunity to personally apologise that this error occurred. It does not reflect the standards that we expect of ourselves and as a firm but more importantly we know that it has caused trauma and concern, and seriously impacted on the trust that survivors and others have in the Redress Scheme. We recognise the seriousness of this incident, and we have launched an internal investigation to understand exactly how this incident occurred and to ensure it does not happen again.
We are also working with the Church of England and those leading the Scheme to determine how best to rebuild trust in the Redress Scheme, and ensure those affected by this incident are adequately supported and any harm suffered appropriately redressed.
We have received a number of complaints from those affected by this incident and are responding to those individually. If you have been impacted and want to lodge a complaint, or have any related questions or concerns, you can contact me at Helen_snowball@kennedyslaw.com or the Kennedys Data Protection Officer at KennedysDataProtectionOfficer@kennedyslaw.com. We have a dedicated team in place who are entirely focused on this matter.
We understand it can be distressing for some to receive further messages from the original thread. We have provided some guidance here that might help reduce or stop further messages coming to your inbox.
We know this will be a difficult time for many of you and additional support is available from Safe Spaces. They can be contacted on safespaces@firstlight.org.uk or 0300 303 1056.
I would like to reiterate again how sorry I am that this happened and our unwavering dedication to making it right.
With regards,
Helen Snowball
The Church of England statement has been amended to add a link to the statement from Kennedys. I have added the text of the latter to the foot of the article.
I note that Kennedys refers to the “Solicitor’s Regulatory Authority”. The correct title is “Solicitors Regulation Authority”.
Kennedys “will incorporate any lessons learnt into our procedures immediately”. So it’s not just the CofE that falls back on this language…
And this is familiar response to this language. I am wondering what we would prefer them to be saying in situations like this?
For a start, it would be good at the end of these lessons learned exercises to be told just what lessons *were* learned. I am reminded of the ‘You said…’/‘We did…’ processes in education, showing that the ‘feedback loop’ has been closed. In the C of E, it would be valuable to see how a lesson learned from a failure in one diocese had been taken on board by other dioceses; to see that somebody was collating the ‘lessons’ and passing them on.
Thinking back to my early Navy experience when I did some training with the Fleet Air Arm (and aviation were the originators of the “no fault” accident analysis process), not only were there detailed reports into accidents, then there were magazine style, easily readable, articles about these mistakes and incidents in the popular aviation journals.
Following such thinking, then perhaps not only should lessons learned reviews be published in full for the benefit of others, but we should think how to publish easily accessible articles, blogs etc about each report, to ensure the learning is promulgated as widely as possible,
Makes a change that the incompetence is not directly the responsibility of the Church of England. I wonder though what values the solicitors used by the C of E claim to uphold? Confidentiality might not be one of them now…
Kennedys ‘culture and values’ herewith:https://as-s01-uks-cm-04.azurewebsites.net/media/mvijijlr/kennedys-values-booklet.pdf
What redress is available to the CofE, let alone victims and survivors.
What criteria were used by whom at CofE to recommend and make this appointment?
Surely CofE cannot ‘subcontract’ its responsibility?
This is highly regrettable and there needs to be a full investigation but I suspect this will be a clerical mistake by a very junior member of staff at the law firm.
If it was indeed a junior member of staff then the firm is perhaps at fault for not adequately supervising them. It should not be possible for one junior person to do this.
Send a round robin email?
There should be proper processes in place for sending sensitive emails. There should be appropriate training for all members of staff to ensure they are aware of the processes and of the need to follow them. A junior member of staff should not be sending out such emails on their own initiative but under instruction from a responsible person, who should have reminded them of the process.
Commercial organisations run their back office on a shoestring to maximise profits for, in this case their partners. I entirely understand the distress of the survivors in these circumstances but the reality is it’s likely to be a harassed (woman) on the minimum wage who is going to be sent back to the dole queue. The partners of Kennedy Law will be irritated but won’t lose sixpence over this data breach.
I spent over 40 years working for commercial organizations. My experience is that the directors of the firms, no doubt advised by their HR department and/or their company lawyers, understood that they could be personally liable for various failings, and ensured that staff received training. In the specific case of data protection one of my responsibilities for example was to ensure that software developers working on a project did not store personally identifiable information about customer employees in our software and our databases. And software was reviewed by a designated group before release to ensure that it complied with this… Read more »
All the more reason to dump them for gross incompetence & find another firm. That way the partners will lose sixpence.
Even if a junior member of staff made the error, surely the partners are still responsible, and could suffer from some court actions, as Simon has implied above?
I am not a lawyer, and it may be different for a partnership rather than a company director.
I think the reputational damage to Kennedys Law, which is a major international firm, is likely to be quite significant. That’s in addition to the financial cost of compensating individuals, and the financial cost of compensating their customer. Now is not the time for CofE senior officials to behave as shrinking violets.
I thought I couldn’t be more disappointed with how so much of this process has been handled to date… I’ve just been in contact with a survivor, who is on the email list, about this devastating data breach. They were in such a good place earlier today, enjoying some well earned time off, then this landed. For those who already feel so betrayed by the CofE, in so many different ways, it is difficult to imagine what impact this latest breach of trust will have. It seems to me, looking from the outside, just like further abuse, to be brutally… Read more »
Don’t let’s hide behind words. Serious breach affecting the lives of many traumatised and vulnerable people. Change the solicitor. Happens all the time in the ‘real world’.
Devastating for survivors. Another deep betrayal of confidence and trust.
The data breach is an intolerable failure on the part of Kennedy Law. The fact that it may have been committed by a junior staff member is irrelevant. The firm has to be dropped from working for the Church and all files must be placed in the care of an alternative firm. To do otherwise would be in effect to condone devastating carelessness and yet again not to stand up for survivors. Kennedys bland statement sets out how organisations always and everywhere put their interest above the just needs of survivors. The Church must fire them to maintain any credibility.… Read more »
I’ve written about this appalling breach and its effect upon me as a survivor of clergy abuse on my blog (referenced in the previous post): https://retiredrector.blog/2025/08/26/churchs-major-data-breach/ Data breaches happen and will continue to happen. People make mistakes. I know that. The significant point is about the triggering effect of these failures of church authorities or their agents. They are enervating. Since I became aware of the breach I have wasted too much of my time and energy trying to deal with my anger, and trying not go over all the events of my abuse and the appalling way it was… Read more »
I am also one of the survivors included in the data breach and as horrific as that is I think it hides a greater horror. The reason for the communication was to update interested parties on the FAQ’s for the Redress scheme and in this, what we are constantly being told, is a non-adversarial approach, we now learn that medical assessments will be required in ‘some’ instances. These will be done online, a communication method many find retraumatising, gender of the assessor might be of your choosing or may not. Though phrased to sound as though it will be to… Read more »
House of Survivors has published a page today with our viewpoint on the data breach, the consequences for survivors involved, for others, and what in our view needs to happen now. https://share.google/CvIhMA93w5HFQFrJG Text below: On 27th August the Church of England Redress Scheme leaked the personal details of nearly 200 survivors of CofE abuse in a data breach. House of Survivors recognises that this was human error with no malevolent intent – nevertheless it has distressing consequences for all survivors involved. Many survivors had kept their name and identity carefully hidden. And many of us experience it as yet another… Read more »
House of Survivors has compiled a list of links to media reports on this news story. Follow the link in the previous comment to see them all.
I agree that Kennedys should offer compensation to all affected survivors. They might also want to offer the Church of England a reduction in their fees.
I’d also encourage anyone affected by this breach to consider making a referral to the Solicitors’ Regulation Authority. Although Kennedy’s have (rightly) self-referred, additional complaints by interested parties will be considered alongside the self-referral and may add weight to consideration of the degree of harm caused. Professional regulation is far from perfect, but it does, at least, have procedures that must be followed consistently and benchmarks against which complaints are assessed. The complaints are also handled outside Kennedy’s and should a case to answer be established, they will be heard by a Panel genuinely independent of both Kennedy’s and the… Read more »
“While the Church of England is not the data controller for the Redress Scheme and does not hold or manage the data in question, we are nonetheless profoundly concerned” This is what managerial culture looks like. The care of souls is farmed out to a law firm. So the Church of England can pass the buck and all it needs to do is profess “profound concern” but actually this means nothing. The employee of the law firm was just doing his job (rather badly). Farming out means nobody has responsibility, especially the Church bureaucrats. “Lessons will be learnt” but actually… Read more »
I very much agree with your points David. The wording used by the Church of England in response to this incident, where blame can in their eyes be apportioned externally is acutely painful for me to read. I’m one of the affected parties in it – and it has had a horrible impact. But, for instance, it is less impact than being one of the ISB12 – when Archbishops’ Council recklessly disbanded the ISB1.0 (the harm of which is detailed in the Glasgow report), or as Mr X of the ISB Spindler report – with it’s acutely urgent Recommendations largely… Read more »
The NST has told me today that the CofE Redress Board no longer exists (closing meeting was in May). Going forward will be the Archbishops Council managing the contract with Kennedys… so in reality the power lies with Secretary General William Nye. It will be his hand steering the rudder in the event of any future Kennedys’ mishap. This is not good news. Nye has form in spades. Notably there has been past duplicity with CofE insurer Ecclesiastical in reputation management. His fingerprints have been present on so many bad judgements by CofE. And many survivors have fallen foul of… Read more »
I have added a letter from the Bishop of Winchester to this article. And I have also added a link to a letter from a partner at Kennedys, which has been published on the front page of the Redress Scheme website. I have copied the full text of the latter, in order that it should not get lost.
https://kennedyslaw.com/en/our-people/people/sheffield/helen-snowball/
Is there a Snowball’s chance in hell of the CofE getting the redress scheme right?
My heart goes out to everyone involved in the data breach. But in response to Robert’s question I have another one- does it/ do they want to? And as for the CofE plc , + Mounstephen and Kennedy’s pompous corporate non- apologies non apologies – they are somewhere below contemptible and should be paraphrased-‘ ooops – a minion messed up in our attempt to organise this to our greatest personal benefit and you guys found out . Bother . But don’t expect things to get any better because you aren’t the people who matter, so why don’t you realise that… Read more »
One of the victims of the data breach has written about it for tomorrow’s Sunday Times.
https://www.thetimes.com/uk/crime/article/church-of-england-data-breach-survivor-kennedys-law-r26wwmp66