ICO Censures Lancashire Police For Data Breach

Lancashire Police has been wrapped over the knuckles for breaching the Data Protection Act (DPA), just days after its former chief of police, Sir Paul Stephenson, resigned from the Met as part of the ongoing fallout from the phone hacking scandal.

The Information Commissioner’s Office (ICO) was less than impressed when Lancashire Police accidentally published sensitive personal details of an individual’s complaint on its website.

The police force should have edited the complaint to meet the terms of the DPA.

Tardy Response

To make matters worse however, the personal information was allowed to stay online for four days after the Lancashire Police Authority was first made aware of the mistake.

“The details were disclosed after the authority failed to redact the information, which was marked as restricted, from two documents before they were published online,” said the ICO. “The authority also failed to remove the information after the complainant made them aware of the breach on 24 January. This meant that the information was available online for a further four days before it was removed.”

Despite this, the ICO opted not to issue a financial penalty in this case, but it did order the authority to make sure that any information due to be published on the website is checked and correctly redacted before it is made available.

The authority has also agreed to introduce a new policy for staff which explains the actions they must take when informed of a possible data breach.

“While it is important that public authorities are transparent about the work they do by publishing information online, this should never be at the expense of an individual’s rights to privacy,” said the ICO’s Director of Operations, Simon Entwisle.

“There can be no excuse for publishing someone’s personal information online, and the fact that the Authority failed to remove it when told makes this case all the more concerning,” he said.

Data Carelessness

“We are pleased that Lancashire Police Authority will now make sure any documents due for release are properly checked by suitably trained staff,” said Entwisle. “This case should act as a warning to all public authorities that information security must be seen as a priority across the organisation.”

Meanwhile Miranda Carruthers-Watt, Chief Executive, of Lancashire Police Authority, has signed an undertaking to ensure that procedures are introduced so this doesn’t happen again.

However this is not the first time a police force has been careless with data.

In September last year a USB stick, said to contain anti-terror training manuals and other sensitive material, was found by a businessman on the pavement outside a Police station in Stalybridge, Greater Manchester.