Breach details
| What | Loss of sensitive personal data relating to criminal activities. |
| How much | 1,075 records |
| When | 17 July 2011 |
| Why | Theft of an unencrypted memory stick from an officer’s home. |
BW Comments
| It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless. This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £150,000. |
| When | 13 September 2012 |
Why the regulator acted
| Breach of act | A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. |
| Known or should have known | Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection. |
| Likely to cause damage or distress | The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations. |
BW Observations
| Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers. |
Links
| View PDF of the Greater Manchester Police Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Greater Manchester Police Monetary Penalty Notice (Via ICO Website) |