Manchester Police fined for losing videos of violent and sexual crime victims

The Information Commissioner’s Office (ICO) has concluded their investigations into the Greater Manchester Police (GMP) after video footage of crime victims were lost in the mail.

The video footage included interviews with vulnerable victims speaking about crimes of a violent and/or sexual nature. The package containing 3 DVDs were sent by recorded delivery to the Serious Crime Analysis Section (SCAS), but never arrived.

The footage was not encrypted.

Whoever potentially gets their hands on the package could easily access the information. Having lost the DVDs with no tracking, the GMP may never know if someone has found it, accessed it, or used the data.

The ICO found that the GMP had:

“…failed to keep highly sensitive personal information in its care secure and did not have appropriate measures in place to guard against accidental loss.”

The intended recipient, SCAS, is in charge of seeking out and identifying the most horrific criminals including serial killers and serial rapists. We can only imagine the fear and distress caused to the already vulnerable victims involved in the data breach.

Breach of the Data Protection Act

In failing to implement adequate security measures, the GMP has seriously breached the seventh data protection principle in the Data Protection Act that states data controllers must have appropriate security to prevent personal data from being compromised. For their serious failure, the ICO issued GMP with a £150,000.00 fine.

The police force has a duty to protect civilians and this includes their information. Civilians put their trust and confidence in the force with the expectation that they will be treated with care and respect. In an ever increasing digital world, data is often recognised as an extension of the data owner. An individual’s personal data can be as important as their physical being, and any harm to data can cause understandable harm to the individual’s mental health; especially with sensitive information like the footage lost in this case. We can’t imagine what the victims may be going through, despite the fact we have helped victims of serious data leaks and breaches for years.

Condemnation from the ICO

The ICO condemned GMP’s lax approach towards handling sensitive information, saying:

“GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”

GMP was found to have been sending sensitive information to SCAS in the same way for six years. In those half a dozen years, all DVDs were sent by recorded delivery but were completely unencrypted.

Not the first fine for the GMP…

The £150,000.00 fine is not GMP’s first. Back in 2012, the ICO issued the same amount in penalty fines when a USB stick containing sensitive information was stolen from an officer’s home. The information on the USB was also unencrypted and not password protected. David Smith, Director of Data Protection at the time of the 2012 incident, spoke out against unencrypted files, warning that sensitive information requires proper data security.

It seems like GMP needs more than a couple of fines to overhaul the way they handle sensitive information…

Legal duty to protect our data

All companies and authorities have a legal duty to protect the information they handle. This duty is heightened when it comes to sensitive information, as the potential for damage can be even greater. GMP breached this duty and paid for it financially, but it’s the victims who really pay.

No amount of compensation can truly repair the damage; we know that.

Source:
https://ico.org.uk/media/action-weve-taken/mpns/2014007/gmp-mpn-20170502.pdf

How much did WannaCry hackers receive from their ransomware attacks?

Cyber insurance surges in demand amidst growing concerns over cyber security