Kent Police

Breach details

What Highly sensitive and confidential information, including copies of police interview tapes, were left in the basement of a former police station, which had been sold in September 2012. This was discovered after a police officer visited some business premises on an entirely separate matter, and noticed a box of videotapes with the logo and name of Kent Police. The owner confirmed that he had found the videotapes and was intending to view the contents of the videotapes as a possible source of entertainment
How much Numerous records dating as far back as the late 1980s.
When 28 November 2012.
Why In the absence of any specific policies or procedures, it was unclear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. This lack of documented procedures was made worse by a failures in communication between the different departments involved in the extended process of decommissioning the building.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000
When 19 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Kent Police failed to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as having specific procedures in place to ensure that the basement of the former police station had been cleared of all items before it was sold to a buyer.
Known or should have known  The data controller was used to dealing with such information and had taken some steps to safeguard the information by carrying out inspections of the former police station, even though the steps taken proved to be inadequate.
Likely to cause damage or distress The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data could have been accessed by the buyer who had no right to see that information. Furthermore there was a risk that the  data may be further disseminated, such as to the media, or used for other purposes by the buyer, with the potential to cause substantial damage to witnesses and informants, such as by putting them at risk of physical harm.

Derbyshire, Leicestershire and Nottinghamshire Police Forces

Breach details

What The theft of laptops containing sensitive personal data including prison records and offender details.
How much Approximately 4,500 records held on eight laptops.
When 14 August 2010.
Why These police forces were part of the East Midlands Collaboration Unit (EMCU), whose offices were burgled in August 2010. Eight laptops belonging to seconded offices were stolen; they had not been stored in available lockable containers and two were unencrypted. Derbyshire and Leicestershire Police had not undertaken their own risk assessments and relied on the security measures of Nottingham Police. However, this did not specify that laptops should be encrypted, made no provision for locking them in containers, and did not monitor the offices during this period.

Regulatory action

Regulator ICO
Action Enforcement Notice issued to limit the sharing of personal data.
When 18 June 2013
Details These police forces shall only share personal data as part of a collaborative project if a Senior Information Risk Owner has been appointed to oversee the work and risk assess the premises; laptop and other portable electronic security devices are encrypted; and all officers involved in the project are given appropriate training. These measures should been implemented within 35 days.

Hertfordshire Constabulary

Breach details

What Breach of the First and Third Data Protection Principles and the European Convention on Human Rights.
Personal data in the form of vehicle numberplates.
How much An unknown number of records.
When Unknown.
Why Currently all vehicles entering and leaving Royston have their numberplates recorded by ANPR cameras. Although this data can only be accessed in limited circumstances the Commissioner is concerned it could be used for other purposes, and there is a risk of its unauthorised or unlawful access.

Regulatory action

Regulator ICO
Action Enforcement Notice Issued to Hertfordshire Constabulary.
When 15 July 2013.
Details Enforcement notice issued to ensure that within 90 days the personal data recorded by the ANPR cameras will no longer be processed without a Privacy Impact Assessment.

Greater Manchester Police

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

CPS Mistakenly Releases Names of Student Protesters

What
Loss of sensitive personal data

How much
Unknown.

Why
After a Freedom of information request, the Crown Prosecution Service mistakenly released the names of 299 people arrested during protests over tuition fees in 2010 and 2011.

The FOI request by a member of the public was to provide figures for costs and resources used in the Metropolitan Police’s Operation Malone (the investigations following a series of demonstrations by students against tuition fees in 2010 and 2011). In response they received a spreadsheet detailing not only Operation Malone but also other disturbances, and containing the names and other sensitive data of 299 people, 44 of whom were under 18, and 116 of whom were not charged.

Regulator

None to date.

Regulatory action
None to date, however a spokesperson for the Information Commissioner told The Huffington Post UK that they were looking into the case.

Reason for action
None to date.

When
September 2012

Links

 

South Yorkshire Police

What
Loss of personal data

How much
600 records.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.

When
26 June 2012

Links
View PDF of the South Yorkshire Police Undertaking (Via ICO Website)

View PDF of the South Yorkshire Police Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Cheshire East Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One record.
When April 2011
Why An email containing sensitive personal information relating to an individual of concern to the police was distributed to 180 unintended recipients, due to mistaken forwarding of the email, following errors of communication in the “Potentially Dangerous Person Unit”.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 15 February 2012

Why the regulator acted

Breach of act Sensitive email mistakenly forwarded to over 180 recipients.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitivity of their work by its very definition, yet an assistant officer had not received any data protection training.
Likely to cause damage or distress Details could jeopardise the data subject’s livelihood.

Child Exploitation Online Protection Centre and the Serious Organised Crime Agency

What

The CEOP’s website reporting forms were being transmitted insecurely.

How much

None.

Why

A member of the public realised that the website’s reporting page was insecure.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is made secure and subject to regular checks.

Reason for action

Reports were transmitted unencrypted in plain text and this had been the case for several months.

When

15 September 2011.

Links

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Via ICO Website)

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Breach Watch Archive)

Lancashire Police Authority

What

Loss of sensitive personal data.

How much

Unknown.

Why

Sensitive personal data was accidentally published on the data controller’s website.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient training and security measures are put into place to prevent accidental disclosure of sensitive data.

Reason for action

The data controller was insufficiently familiar with the relatively new system being used to publish their website and failed to take immediate action having been made aware of the error.

When

19 July 2011.

Links

View PDF of the Lancashire Police Authority Undertaking (Via ICO Website)

View PDF of the Lancashire Police Authority Undertaking (Breach Watch Archive)