The Information Commissioner’s Office has slapped a £130,000 fine on Humberside Police for failing to secure three disks that contained the testimony of a rape victim and also contained sensitive personal information of the victim.
The Information Commissioner’s Office said that the fine was imposed under the existing Data Protection Act which empowers it to levy fines of up to £500,000 on data controllers or data handlers in order to safeguard an individual’s fundamental right to the protection of personal data.
Mishandling of sensitive information
In a statement posted in its website yesterday, the ICO said that the said disks not only contained the victim’s testimonies but also contained “the victim’s name, date of birth and signature as well as details about the alleged rape itself, the victim’s mental health and the suspect’s name and address”.
Following a detailed investigation, the ICO concluded that Humberside Police failed to encrypt the disks and lost the disks during the process of posting the disks to Cleveland Police. It has now instructed the force to sign a commitment to take steps to improve its data protection practices.
“We see far too many cases where police forces fail to look after disks containing the highly sensitive personal information contained within victim or witness interviews,” said Steve Eckersley, head of enforcement at the Information Commissioner’s Office.
“Anyone working in a police force has a duty to stop and think whenever they handle personal details – making sure they are using the most appropriate method for transferring information and considering the consequences of it being lost before going ahead. Staff training in this area is vital.
“Police forces deal with such sensitive information that when things go wrong, it’s likely to be serious. This case shows how crucial it is to keep a clear record of what’s been sent, when and who to,” he added.
According to the ICO, Humberside Police interviewed the rape victim on 13 June 2015 on behalf of Cleveland Police and recorded her testimony relating to the period prior to the alleged rape, how the victim and the perpetrator met, details relating to the scene of the alleged rape, and the victim’s mental health status.
Humberside police then placed the three unencrypted disks in the same envelope prior to posting them to Cleveland Police. Having not received the disks, Cleveland Police contacted Humberside Police fourteen months later to report the potential loss of the disks. Following an internal search, Humberside Police concluded that the disks were lost and no copies were available.
Based on these facts, the ICO concluded that Humberside Police failed to encrypt the disks before sending by unsecure mail, that it failed to maintain a detailed audit trail of the package, and that the PVP unit of Humberside Police failed to adhere to its ‘information security policy’ in relation to removable media. It has ordered Humberside Police to pay a £130,000 fine but the amount will be reduced to £104,000 if the force pays the full amount by 1 May 2018.
Prior instances of mishandling of sensitive data
This isn’t the first time that police forces in the UK have been found indulging in poor data security practices. Last year, around 30,000 firearms owners across the country alleged that the Met Police had revealed their personal information, which included their addresses, to a commercial firm which was neither a government department, a regulatory body nor an enforcement agency.
According to the British Association for Shooting and Conservation, the private firm then used such information to contact firearms owners and offer them a product named THIEVES BEWARE® which could be used to identify the real owner of a burgled weapon.
A Freedom of Information request filed by security firm Huntsman Security also revealed that between January 1st 2016 and April 10th 2017, there were as many as 779 instances of UK police personnel misusing sensitive and internal data. As many as 603 cases of potential misuse of data were identified by the report in 2016 alone. In the first 100 days of 2017, the number of such cases was 176.
The PEEL: Police legitimacy 2016 report revealed that almost half of the police forces were unable to audit or monitor use of all of the forces’ IT systems. This had impacted the forces’ ability to spot officers or staff who accessed force systems to identify vulnerable victims. An exception to this rule was the South Yorkshire Police who scanned phone numbers dialled from force mobiles and landlines to identify and punish errant personnel.
“We were disappointed to find that almost half of forces do not have either the capability or the capacity to monitor and audit IT systems. Of those who do have the software required, many do not have the resources in their units to use it proactively,” the report said.