ICO Raps Police Forces Over Data Protection

Police forces have been criticised by the data protection watchdog, the Information Commissioner’s Office (ICO), in a report which revealed some alarming lapses, inmcluding how few police forces fully adhere to the 1998 Data Protection Act (DPA).

Improvement Needed

The ICO report took a year to complete and is an audit of seventeen police forces, out of the total 43 police forces within the United Kingdom.

It assessed these police forces on six core areas including their records management, their security of personal data, their data sharing, as well as staff training and awareness. It also examined how the police forces dealt with requests for personal data, and how they adhered to the data protection governance requirements of the DPA.

The ICO found that out of the seventeen surveyed police forces, 59 percent fell within the “reasonable assurance” range (i.e. there was some scope for improvement in their existing arrangements).

But somewhat worryingly, 35 percent of the unnamed surveyed police forces fell within the “limited assurance” range (i.e. there is scope for improvement in their existing arrangements). Only one police force achieved the “high assurance” rating (i.e. limited scope for improving existing arrangements – significant action unlikely to be required).

Many Incidents

It is fair to say that the police have had a chequered past when it comes to their handling of personal data and meeting the requirements of the data protection.

In 2013 Hertfordshire Constabulary was ordered to review its illegal automated collection of people’s number plates. The ICO said the Automatic Number Plate Recognition (ANPR) operation had broken two principles of the Data Protection Act.

And then in 2012, the Metropolitan Police was forced to apologise after it revealed the email address of 1,136 people when it sent out a survey. That same year, Greater Manchester Police was fined £120,000 for failing to keep data properly secure when an unsecured USB stick was stolen from an officer’s home.

In 2011 Lancashire Police censured for breaching the DPA, when they accidentally published sensitive personal details of an individual’s complaint on its website.

And in 2010 a USB stick, said to contain anti-terror training manuals and other sensitive material, was found by a businessman on the pavement outside a Police station in Stalybridge, Greater Manchester.

Are you a pedant on privacy? Try our quiz!