ICO slams police force for ‘cavalier’ attitude to data after unencrypted interview footage goes missing

Written by Rebecca Hill on 4 May 2017 in News
News

Greater Manchester Police slapped with £150,000 fine from data protection watchdog for failing to protect sensitive footage of interviews with victims of violent crimes

Greater Manchester Police was fined after three DVDs of interview footage were lost in the post - Photo credit: Pixabay

Greater Manchester Police has been fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes went missing in the post.

The DVDs - which were unencrypted and contained footage where victims were identifiable - were sent by the force to the Serious Crime Analysis Section of the National Crime Agency by recorded delivery but were not received. They have never been recovered.

The Information Commissioner’s Office investigated the incident, which happened in 2015, and found that the police force had breached data protection law.

The force, it said, had “failed to keep highly sensitive personal information in its care secure, and did not have appropriate measures in place to guard against accidental loss”.


Related content

CPS fined £200,000 for failing to keep sensitive interviews safe
Data blunder leads to £185,000 fine for NHS trust


Sally Anne Poole, the ICO enforcement group manager, said that the public had “every right to expect that their information is handled with the utmost care and respect”, but that the GMP had not done this.

“The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious,” she said.

“Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”

The investigation found that the GMP had been sending unencrypted DVDs by recorded delivery to the SCAS - which aims to identify potential serial killers and serial rapists at an early stage in their offending history - since 2009, and only stopped after the 2015 incident.

The GMP said in a statement sent to PublicTechnology that the delivery method was “in accordance with national guidance for sending sensitive information”.

But the ICO ruled that the GMP ought reasonably to have known there was a risk of the breach happening, noting that it was aware that the SCAS only used special delivery - where the package is signed for every time it changes hands, not just by the recipient - for sending confidential information by post.

It added that although “a technical solution such as encryption or remote access was not an option at the time of the security breach through no fault of GMP… ultimately, it was up to GMP to keep the DVDs secure”.

The GMP’s assistant chief constable Rob Potts said that the GMP was now “considering our response to this judgement”, but that it had already stopped using postal delivery for sensitive information following a review of its procedures after the 2015 data breach was discovered.

The force was fined £150,000 by the ICO in 2012 after an unencrypted USB stick was stolen.

Share this page

Tags

Categories

Add new comment

Related Articles

NAO says preventable WannaCry damage shows DoH and NHS must ‘get their act together’
27 October 2017

National Audit Office report also points to a lack of coordination in response to attack, which the government has concluded was conducted by North Korea

What all public-sector IT leaders need to know to be ready for GDPR
25 September 2017

Victoria Cetinkaya of the Information Commissioner’s Office ​gives the organisation's top tips for government tech and data chiefs to ensure they are ready for new regulation next year