Out-Law / Your Daily Need-To-Know

Theft of data detailing individuals' links to criminal investigations costs police force £120,000

16 Oct 2012, 2:24 pm

A major police force has been fined £120,000 by the Information Commissioner's Office (ICO) after information detailing more than 1,000 individuals' links to serious crime investigations was stolen from a storage device.

The UK's data protection watchdog deemed Greater Manchester Police (GMP) to be guilty of a serious breach of the Data Protection Act after its investigations revealed that a memory stick containing the personal data had not been password protected. The storage device was stolen from an officer's home by a burglar and has never been recovered.

The ICO said that GMP had failed to act sufficiently to rectify its approach to data protection after experiencing a similar data breach in 2010.

"The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office," the ICO said in a statement. "Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection."

Under the DPA data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The ICO can fine organisations up to £500,000 for serious breaches of the Act. GMP was initially issued with a civil monetary penalty (11-page / 897KB PDF) of £150,000 over this data breach but received a 20% discount on the fine levied for paying it early.

"This was truly sensitive personal data, left in the hands of a burglar by poor data security," David Smith, the ICO's director of data protection, said in a statement. "The consequences of this type of breach really do send a shiver down the spine."

“It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action. This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes," Smith added.

GMP has now taken action to prevent officers from downloading personal data from its network computers to storage devices unless they are authorised to do so, the ICO said.