ICO slams police force for ‘cavalier’ attitude to data after unencrypted interview footage goes missing

Written by Rebecca Hill on 4 May 2017 in News
News

Greater Manchester Police slapped with £150,000 fine from data protection watchdog for failing to protect sensitive footage of interviews with victims of violent crimes

Greater Manchester Police was fined after three DVDs of interview footage were lost in the post - Photo credit: Pixabay

Greater Manchester Police has been fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes went missing in the post.

The DVDs - which were unencrypted and contained footage where victims were identifiable - were sent by the force to the Serious Crime Analysis Section of the National Crime Agency by recorded delivery but were not received. They have never been recovered.

The Information Commissioner’s Office investigated the incident, which happened in 2015, and found that the police force had breached data protection law.

The force, it said, had “failed to keep highly sensitive personal information in its care secure, and did not have appropriate measures in place to guard against accidental loss”.


Related content

CPS fined £200,000 for failing to keep sensitive interviews safe
Data blunder leads to £185,000 fine for NHS trust


Sally Anne Poole, the ICO enforcement group manager, said that the public had “every right to expect that their information is handled with the utmost care and respect”, but that the GMP had not done this.

“The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious,” she said.

“Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”

The investigation found that the GMP had been sending unencrypted DVDs by recorded delivery to the SCAS - which aims to identify potential serial killers and serial rapists at an early stage in their offending history - since 2009, and only stopped after the 2015 incident.

The GMP said in a statement sent to PublicTechnology that the delivery method was “in accordance with national guidance for sending sensitive information”.

But the ICO ruled that the GMP ought reasonably to have known there was a risk of the breach happening, noting that it was aware that the SCAS only used special delivery - where the package is signed for every time it changes hands, not just by the recipient - for sending confidential information by post.

It added that although “a technical solution such as encryption or remote access was not an option at the time of the security breach through no fault of GMP… ultimately, it was up to GMP to keep the DVDs secure”.

The GMP’s assistant chief constable Rob Potts said that the GMP was now “considering our response to this judgement”, but that it had already stopped using postal delivery for sensitive information following a review of its procedures after the 2015 data breach was discovered.

The force was fined £150,000 by the ICO in 2012 after an unencrypted USB stick was stolen.

Share this page

Tags

Categories

Add new comment

Related Articles

Overcoming public sector patch paralysis and risk culture
17 May 2017

The global ransomware attack has been followed by an outcry about the NHS' reliance on legacy systems. Harry Metcalfe and Lee Maguire of dxw say you can't properly diagnose the...

UPDATED: General election 2017: Manifesto round-up
17 May 2017

After the Tories released their manifesto,PublicTechnology takes a look at the three main parties' plans for digital and technology ahead of next month's general election.