The Information Commissioner’s Office has been alerted after Norfolk and Suffolk constabularies admit the accidental release of ‘raw data’ – but claim there is no evidence as yet of external access

Sensitive personal information of more than 1,000 victims, witnesses, and suspects was accidentally released by police in East Anglia during a data breach that lasted almost a year.

In a joint statement issued today, Norfolk and Suffolk constabularies admitted that, between April 2021 and March 2022, a number of responses provided to Freedom of Information requests for crime statistics included files containing “raw data” not intended for public viewing.

“[This] data includes personal identifiable information on victims, witnesses, and suspects, as well as descriptions of offences,” the statement said. “It related to a range of offences, including domestic incidents, sexual offences, assaults, thefts and hate crime.”

The two forces claimed that data was automatically “hidden from anyone opening the files”, adding that “strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing, [and] at this stage we have found nothing to suggest that this is the case”.

Related content

• ‘If we don’t use this information, we’re not doing our duty to protect people’ – Met Police science chief on data, bias and precision policing
• ICO examines use of personal data in government anti-disinformation work
• Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’

A total of 1,230 people impacted by the breach will be contacted in the coming weeks – via either letter, phone call, or a face-to-face visit from officers, depending on the nature of the information released and further support that may be required. A dedicated phone line and email address – 01603 276 647 and dataincident@suffolk.police.uk – have also been set up for queries and concerns, although the forces said that “if members of the public are not contacted by the constabularies, they do not need to take any action”.

Suffolk Constabulary assistant chief constable Eamonn Bridger, who led the investigation of the breach, said: “We would like to apologise that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk. I would like to reassure the public that procedures for handling FOI requests made to Norfolk and Suffolk constabularies are subject to continuous review to ensure that all data under the constabularies’ control is properly protected.”

Data-protection regulator the Information Commissioner’s Office has been notified of the incident.

The watchdog’s deputy commissioner for regulatory supervision Stephen Bonner said: “The potential impact of a breach like this reminds us that data protection is about people. It’s too soon to say what our investigation will find, but this breach – and all breaches – highlights just how important it is to have robust measures in place to protect personal information, especially when that data is so sensitive. We are currently investigating this breach and a separate breach reported to us in November 2022. In the meantime, we’ll continue to support organisations to get data protection right so that people can feel confident that their information is secure.”

The incident is the third high-profile public sector data breach within the space of week – and the second affecting the police. Last week, representatives of serving officers warned that the Police Service of Northern Ireland has risked causing “incalculable damage” by accidentally publishing names and professional details of the force’s entire civilian and police workforce.

News of the breach came shortly after regulator the Electoral Commission announced that cyberattackers had gained unauthorised access to its email systems and electoral registration databases – and had gone undetected for 14 months.