Police committing more than ten data breaches each weekPublished: 06/07/2016
Examples include officer giving USB containing sensitive police information to a member of the public.
Police forces are failing to keep personal information safe with more than 2,000 data breaches conducted by officers and staff over a four-and-a-half-year period, a report has found.
A Freedom of Information request sent to all forces by civil liberties group Big Brother Watch found there were 2,315 breaches in police forces between June 1 2011 and December 31 2015, with more than 800 relating to accessing personal information without a policing purpose.
Information was inappropriately shared with third parties more than 800 times.
Specific examples cited in the report include a Met officer finding the name of a victim amusing and attempting to take a photo of his driving licence to send to his friend via snapchat and an officer in Dyfed Powys who passed a USB device, which contained sensitive police information, to a member of the public.
In 55 per cent of cases, no disciplinary or formal disciplinary action was taken, with 13 per cent resulting in either a resignation or dismissal.
Only three per cent of cases resulted in a criminal conviction or caution, something the group urges should change in order to prevent further misuse and abuse.
“Existing penalties for serious data breaches are not enough of a deterrent,” the report states.
“Anyone found guilty of a serious breach should be subject to a potential custodial sentence.”
Currently the most severe penalty for anyone found to be in breach of Section 55 of the Data Protection Act 1998 is a maximum fine of £500,000.
The document – entitled Safe in Police Hands – also recommends that those who carry out a serious data breach should be given a criminal record and that where a breach concerns a member of the public that person should be informed as soon as possible.
According to the report, the forces with the greatest number of breaches are West Midlands Police with 488, Surrey with 202 and Humberside with 168, although the figures have been challenged.
“We always advise caution when interpreting Freedom of Information statistics. It is clear from this data set that police forces have responded to the information request in different ways so it is not comparing like for like − a point accepted by Big Brother Watch,” said a spokesman for West Midlands Police.
“West Midlands Police has also included other types of breaches in these figures and not, it appears unlike other forces, strictly data protection breaches.
“We are not afraid of letting the public see how we work because as an organisation we welcome openness.”
Ian Redhead, national lead on data protection, said the service takes its responsibility to protect sensitive information “extremely seriously”.
“National guidance is available from the College of Policing and forces should have clear, tested and robust procedures in place designed to meet our legal obligations under the Data Protection Act and make sure information is handled correctly at all times.
“Public trust is key to good policing. Abuse of that trust is unacceptable and, in the rare cases where staff fail to meet our high professional standards, they will be held to account and dealt with appropriately.”
According to the College of Policing’s Disapproved Register, 20 officers across England and Wales – including British Transport Police, Ministry of Defence Police, Civil Nuclear Constabulary and States of Jersey Police –were dismissed for “data misuse” in 2014/15, with eight resigning while under investigation for such offences and one retiring.
Big Brother Watch states that the issue is even more pressing considering the plans to allow officers access to Internet Connection Records under the Investigatory Powers Bill, a power which they say should be removed.
“The information the police will have access to under these powers is vast. Police forces are already struggling to keep the personal information they can access secure. It is clear that the addition of yet more data may just lead to the risk of a data breach or of misuse,” it states.