Police force handed big fine for losing sensitive evidence
16 May 2017
GREATER MANCHESTER Police has been fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post.
The force sent the unencrypted DVDs to the Serious Crime Analysis Section (SCAS) of the National Crime Agency by recorded delivery but they were never received. The DVDs, which showed named victims talking openly, have never been found.
An investigation by the Information Commissioner’s Office (ICO) found that Greater Manchester Police failed to keep highly sensitive personal information in its care secure and did not have appropriate measures in place to guard against accidental loss. This is a breach of data protection law.
The ICO investigation found that Greater Manchester Police had been sending unencrypted DVDs by recorded delivery to SCAS since 2009 and only stopped after the security breach in 2015.
Sally Anne Poole, ICO Enforcement Group Manager, said: “When people talk to the police they have every right to expect that their information is handled with the utmost care and respect.
“Greater Manchester Police did not do this. The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious.
“Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”
Greater Manchester Police assistant chief constable Rob Potts said the force has changed its procedures for sending sensitive information. He told the Guardian: “The disks were sent in accordance with national guidance for sending sensitive information, however when it became apparent that the disks may have been lost we immediately reviewed our own procedures and as a result postal delivery is no longer used by GMP for sensitive information.
“I think it is important to stress that when the potential loss did become apparent, we worked closely alongside Royal Mail to do everything possible to try to find the disks and immediately informed the three people concerned in the video interviews.
“I also think it is important to stress that since this particular incident happened, the national guidance surrounding sending sensitive information has also been amended with the aim of preventing similar occurrences happening in future.”
The British Security Information Association (BSIA) released a statement following the ruling that stressed the need to ensure that confidential data is disposed of securely. Businesses should have a written contract with a company capable of handling confidential waste, which can provide a guarantee that all aspects of collection and destruction are carried out in a secure and compliant manner. To ensure this, suppliers should comply with European Standard BS EN15713:2009 for security shredding and also BS7858 for staff vetting.
BSIA information destruction section chairman Don Robins said: “Businesses need to safeguard the individuals that they hold data on by ensuring that documents are shredded by a reputable data destruction company when they are no longer required. The same caution must also be taken with computer or laptop hard-drives and any other items which could be used to identify or impersonate individuals.”
The ICO previously fined GMP £150,000 in 2012 after an unencrypted USB stick was stolen.