A police force has been blasted over data security failures by the Information Commissioner’s Office (ICO) after a “damning report” from the body responsible for overseeing the police in Scotland.
The ICO has reportedly demanded immediate action following an audit that has been described as “highly critical” with “urgent recommendations”.
It’s understood that the security of personal data, staff training and awareness, and data sharing are the areas of focus after investigations were undertaken to look into data security failures by the police.
Although we’re only able to act for victims of a data protection breach here in England and Wales, given Scotland has its own legal jurisdiction, data laws and responsibilities are nevertheless similar. The kinds of data breaches that the police there have been criticised for are also somewhat familiar of some of the breaches and investigations that have taken place south of the border as well.
According to the report, no formal training for data security is provided, and 28 “urgent” recommendations were made, with a further 73 “high priority” recommendations also made. It’s clear that the conclusions of the report mean that the police must shape-up their data security efforts, or they face the ramifications of fines and penalties from the ICO and claims from victims of police data protection breaches.
In one breach example, the police reported themselves to the ICO after they lost an unencrypted data stick containing data relating to 15 criminal investigations. With the volume of very personal and sensitive data that the police hold, it’s imperative that they do all they can to avoid data loss and data breach incidents. We have already seen the problems that can be caused by carelessness and a lack of encryption when sensitive police data is lost here in England as well.
According to the conclusions in the report:
“There is a very limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment.”