Dyfed-Powys Police Force in Wales signed an undertaking with the Information Commissioner’s Office (ICO) after a number of data breaches over an 18 month period were identified.
The ICO was alerted to the seriousness of multiple incidents that indicated a potential lack of data protection training and protocols. Although none of the breaches appear to have had any underlying malicious intent, the ICO recognised the seriousness of the repeated data breaches.
Multiple incidents reported
One of the incidents reported to the ICO involved sensitive personal data being sent by the Mental Health Team to an individual’s GP surgery by fax. Although the fax was sent to the right place, it was reportedly sent as an “open message” and without the individual’s consent.
ICO investigations reportedly found a distinct lack of appropriate data protection training for police officers and staff at the force. Of 2,258 police officers, 1,204 of them apparently didn’t have any data protection training. For those who did, there was reportedly no programme for refresher training to remind officers of their data protection duties and responsibilities.
A second incident occurred in January 2017 where an officer reportedly shared personal data about a councillor and a neighbour to the clerk of a local council. This officer had no authorisation to do so and it was revealed he had, unsurprisingly, never received any data protection training.
A third incident involved a picture taken on a mobile phone of a police officer’s work space where personal data was visible. This picture was reportedly sent to a family member who had no authority to see this information.
Again, the officer who sent the picture apparently hadn’t received any data protection training…
Not the first time the force has been investigated
Prior to these incidents, there had already been a call for Dyfed-Powys police force to be investigated for a reported string of data breaches. Earlier in 2016, they were found liable for the accidental leak of information belonging to eight convicted offenders. The email containing the confidential information was sent to a member of the public in error and resulted in a substantial £150,000.00 fine for the police force.
The ICO’s undertaking
On 27th September 2017, the ICO published the Undertaking document that details Dyfed-Powys police force’s commitment to comply with the seventh data protection principle.
The seventh principle in the Data Protection Act of 1998 provides:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Signed by Chief Constable Mark Collins on behalf of Dyfed Powys Police, the undertaking identifies the following actions in order to help the force to actively comply with data protection duties:
- Data protection training to help officers understand and comply with data protection laws and how to process data properly
- Refresher training to ensure ongoing compliance with the Act
- Recording and monitoring training with prompt remedial action when there is any non-compliance
- Appropriate security measures to prevent unauthorised and unlawful processing, accidental loss, destruction, and/or damage to personal data
- The force will confirm its plans to implement and commit to the above steps within a month of agreeing to the undertaking