Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

Police force published sensitive personal data on its website, data protection watchdog says


A UK police force that published a complaint it had received which included sensitive personal data was in breach of data protection laws, the Information Commissioner's Office (ICO) has said.

The information should have been redacted as the individuals' complaint disclosed information relating to the "commission or alleged commission of an offence", the ICO said.

Lancashire Police Authority published the unredacted complaint on its website as part of a disclosure of organisational minutes and agendas, the ICO said.

The unredacted complaint remained on the website for four days after the error was pointed out on 24 January this year, the ICO said.

Under provisions within the UK's Data Protection Act it is unlawful for organisations in control of personal data not to secure the information against accidental loss or damage.

"The breach arose from the incorrect use of a relatively new system used by [Lancashire Police Authority] to publish the agenda packs online," the ICO said in a publication of the data protection undertakings (3-page / 63KB PDF) the police force has committed to following the breach.

"This suggested that the data controller may have had an inadequate understanding of the system or insufficient training in place for its users, prior to the system going live," the undertakings said.

"The error was compounded when the data controller was informed of the breach but failed to take immediate action to remove the data resulting in this information being publically available on their website," the undertakings said.

The undertakings include commitments Lancashire Police Authority have had to make to ensure technical security measures are adequate enough to prevent personal data being accessed without authorisation and that quality assurance checks are conducted on minutes and agendas before they are published on its website.

The authority has also agreed to introduce a new policy for staff which explains the actions they must take when informed of a possible data breach, the ICO said.

“While it is important that public authorities are transparent about the work they do by publishing information online, this should never be at the expense of an individual’s rights to privacy," the ICO's Director of Operations, Simon Entwisle said in a statement.

"There can be no excuse for publishing someone’s personal information online, and the fact that the Authority failed to remove it when told makes this case all the more concerning," Entwisle said.

“We are pleased that Lancashire Police Authority will now make sure any documents due for release are properly checked by suitably trained staff. This case should act as a warning to all public authorities that information security must be seen as a priority across the organisation,” Entwisle said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.