Regulator completes investigation into incident in which an individual requested a copy of footage of 48 hours spent in custody, only for the force to discover two hours were missing
The Information Commissioner’s Office has hit Greater Manchester Police with a formal reprimand over “serious shortcomings” in how the force handles CCTV.
The official rebuke relates to footage taken during a 48-hour period in February 2021 in which a person was held in custody. The Professional Standards Directorate of Greater Manchester Police (GMP) subsequently asked that the force retain this recording beyond the standard storage period of 90 days.
Following this request, the footage was later subject to a subject access request – a process affording individuals the right to ask an organisation to be supplied with a copy of all data held on them.
In responding to a request for such information, GMP “realised two hours of the footage was missing” from the 48-hour period, according to the ICO.
“GMP states that, despite all attempts, it is unable to recover the missing two hours of footage,” the regulator added, “This led GMP to self-reporting a personal data breach to the ICO on 5 September 2023.”
Following an investigation, the data watchdog has concluded that, not only did the Mancunian police fail to meet its duty to provide a complete copy of a data held on an individual, but that it also “failed to ensure that the appropriate technical or organisational measures were in place to protect the accidental loss of the CCTV data it was processing”.
The ICO “found two key failings” in GMP’s process related to data protection: confusion over which staff held responsibility to ensure the quality of retained footage; and insufficient guidance on quality and checking processes.
Related content
- ICO issues data protection warning over domestic abuse victims after DWP and local councils reprimanded
- ICO: Instead of massive fines, regulation works best when we work alongside organisations
- Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
The regulator’s head of investigations Sally Anne Poole said: “CCTV footage, particularly of a person at their most vulnerable, can contain highly sensitive personal data and must be properly protected. It is vital that authorities like police forces have the strictest measures in place to protect personal data to maintain public trust. It is clear in this case that Greater Manchester Police failed its obligation to keep the complainant’s personal data safe and demonstrated serious shortcomings in how it handles CCTV footage.”
She added: “Data protection is not an afterthought; it is a core responsibility. In this case, we see the potential consequences when this responsibility is not properly adhered to. Police forces and public bodies across the country can learn from failures like this and ensure they have the right systems and oversight in place to prevent these mistakes from happening again. Public trust depends on it.”
The ICO acknowledged that, in the past 20 months, GMP has taken a number of remedial measures in response to the breach, including the implementation of “a strictly regulated process to ensure that only authorised force personnel have access to the footage held within the CCTV server”.
Other steps taken by the force include: the introduction of strengthened polices regarding the retention of CCTV footage; additional governance measures to oversee policies and processes; and extra “proactive investment” in the tech infrastructure underpinning CCTV systems.
A GMP spokesperson said: “We note the findings made by the ICO as to our processes, procedures and oversight of training relating to retaining personal data captured on custody CCTV in 2021. We have fully co-operated with the ICO’s investigation and have implemented changes in avoidance of further infringements, recognising the importance of securely handling personal data so as to safeguard against its accidental loss.”
