ICO slams police force for ‘cavalier’ attitude to data after unencrypted interview footage goes missing
Greater Manchester Police slapped with £150,000 fine from data protection watchdog for failing to protect sensitive footage of interviews with victims of violent crimes
Greater Manchester Police was fined after three DVDs of interview footage were lost in the post - Photo credit: Pixabay
Greater Manchester Police has been fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes went missing in the post.
The DVDs - which were unencrypted and contained footage where victims were identifiable - were sent by the force to the Serious Crime Analysis Section of the National Crime Agency by recorded delivery but were not received. They have never been recovered.
The Information Commissioner’s Office investigated the incident, which happened in 2015, and found that the police force had breached data protection law.
The force, it said, had “failed to keep highly sensitive personal information in its care secure, and did not have appropriate measures in place to guard against accidental loss”.
Sally Anne Poole, the ICO enforcement group manager, said that the public had “every right to expect that their information is handled with the utmost care and respect”, but that the GMP had not done this.
“The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious,” she said.
“Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”
The investigation found that the GMP had been sending unencrypted DVDs by recorded delivery to the SCAS - which aims to identify potential serial killers and serial rapists at an early stage in their offending history - since 2009, and only stopped after the 2015 incident.
The GMP said in a statement sent to PublicTechnology that the delivery method was “in accordance with national guidance for sending sensitive information”.
But the ICO ruled that the GMP ought reasonably to have known there was a risk of the breach happening, noting that it was aware that the SCAS only used special delivery - where the package is signed for every time it changes hands, not just by the recipient - for sending confidential information by post.
It added that although “a technical solution such as encryption or remote access was not an option at the time of the security breach through no fault of GMP… ultimately, it was up to GMP to keep the DVDs secure”.
The GMP’s assistant chief constable Rob Potts said that the GMP was now “considering our response to this judgement”, but that it had already stopped using postal delivery for sensitive information following a review of its procedures after the 2015 data breach was discovered.
The force was fined £150,000 by the ICO in 2012 after an unencrypted USB stick was stolen.
Cabinet Office annual report shows digital agency also brought in more than £2m in extra revenue
The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities
PublicTechnology research shows a big spike in the number of contracts awarded to IT security specialists by public-sector buyers
NCSC joins up with counterparts from US and Canada to attribute phishing and malware assaults to Kremlin-linked entities