ICO slams police force for ‘cavalier’ attitude to data after unencrypted interview footage goes missing

Written by Rebecca Hill on 4 May 2017 in News

Greater Manchester Police slapped with £150,000 fine from data protection watchdog for failing to protect sensitive footage of interviews with victims of violent crimes

Greater Manchester Police was fined after three DVDs of interview footage were lost in the post - Photo credit: Pixabay

Greater Manchester Police has been fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes went missing in the post.

The DVDs - which were unencrypted and contained footage where victims were identifiable - were sent by the force to the Serious Crime Analysis Section of the National Crime Agency by recorded delivery but were not received. They have never been recovered.

The Information Commissioner’s Office investigated the incident, which happened in 2015, and found that the police force had breached data protection law.

The force, it said, had “failed to keep highly sensitive personal information in its care secure, and did not have appropriate measures in place to guard against accidental loss”.

Related content

CPS fined £200,000 for failing to keep sensitive interviews safe
Data blunder leads to £185,000 fine for NHS trust

Sally Anne Poole, the ICO enforcement group manager, said that the public had “every right to expect that their information is handled with the utmost care and respect”, but that the GMP had not done this.

“The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious,” she said.

“Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”

The investigation found that the GMP had been sending unencrypted DVDs by recorded delivery to the SCAS - which aims to identify potential serial killers and serial rapists at an early stage in their offending history - since 2009, and only stopped after the 2015 incident.

The GMP said in a statement sent to PublicTechnology that the delivery method was “in accordance with national guidance for sending sensitive information”.

But the ICO ruled that the GMP ought reasonably to have known there was a risk of the breach happening, noting that it was aware that the SCAS only used special delivery - where the package is signed for every time it changes hands, not just by the recipient - for sending confidential information by post.

It added that although “a technical solution such as encryption or remote access was not an option at the time of the security breach through no fault of GMP… ultimately, it was up to GMP to keep the DVDs secure”.

The GMP’s assistant chief constable Rob Potts said that the GMP was now “considering our response to this judgement”, but that it had already stopped using postal delivery for sensitive information following a review of its procedures after the 2015 data breach was discovered.

The force was fined £150,000 by the ICO in 2012 after an unencrypted USB stick was stolen.

Share this page




Please login to post a comment or register for a free account.

Related Articles

Police investigated 4,300 cyber offences last year – but charged fewer than 100 criminals
12 August 2022

The proportion of offences resulting in a formal charge increased slightly, but remains at barely more than one in every 50

MoD appoints £2m cyber specialist to test Army IT vulnerabilities
23 September 2022

Firm will be asked to assess existing and new tech platforms 

Government reveals ambition to drastically reduce cybercrime
21 September 2022

Consultation launched on how to ‘reduce the security burden on citizens’

Brexit: ‘No known data breaches’ of EU citizens’ digital status since programme launch, minister claims
20 September 2022

Home Office databases have not been compromised, according to Tom Pursglove