The Welsh police fined for data breach involving losing video recording used as part of evidence in sexual abuse case
May 21, 2015 |
The UK Information commissioner has issued the South Wales Police with a swinging £160,000 fine for losing a highly sensitive interview of a victim. The media release provides:
The ICO has issued South Wales Police with a £160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case.
The DVDs contained film of an interview with a victim, who had been sexually abused as a child. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer.
The recorded interview took place in August 2011 and the loss was discovered by staff after an office move in October 2011 but the security breach then went unreported for nearly two years due to lack of training. Although the DVDs were stored in a secure part of the police station, South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.
A second interview had to be abandoned due to the victim’s distress and the DVDs have still not been recovered. The defendants were eventually convicted in court.
Anne Jones, Assistant Commissioner for Wales said: “Without any doubt we would expect a professional police force, in a position of trust, dealing with this type of highly sensitive information from victims and witnesses on a daily basis to have robust procedures to keep track of the personal data in their care.
“The organisation has failed to take all appropriate measures against the unauthorised processing and accidental loss of personal data. This breach is extremely serious and despite guidance from our office, the Ministry of Justice and Association of Chief Police Officers stating it is essential to have a policy on storing this sort of information they still haven’t fully addressed the issue.
“The monetary penalty given to South Wales Police should send a clear message that organisations have to take responsibility for personal data and the way in which it is stored.”
In addition to the monetary penalty, the Information Commissioner has asked the police force sign an undertaking to ensure the changes are made to implement policies to stop any incidents happening again.
The Monetary Penalty Notice is found here.
The facts were briefly stated as:
An investigating officer had possession of three unencrypted DVDs (one master copy and two working copies) (‘DVDs’). The DVDs all contained the same video recording of an interview with a victim who had been sexually abused when she was a child. The DVDs were the only digital records of the interview.
The interview took place on 25 August 2011 and was two hours and 46 minutes in length. The Commissioner understands that the content of the video was graphic and distressing. The victim’s face can be seen clearly throughout the recording and both perpetrators were also named.
The Undertaking sets out he events which highlight how easy it is to lose sensitive data when there is poor training and policies on data handling:
The data controller did not have a specific policy on how DVDs containing the video recordings of victim and witness interviews should be stored in police stations. Consequently, for some time the storage practices had differed across the force.
In this particular police station, the DVDs were being stored in the investigating officer’s desk which she shared with another coll The desk was in an area of the police station to which access was restricted by a digital electronic keypad.
In October 2011, the investigating officer became aware that the DVDs had been lost following an internal office Despite extensive searches of the police station and enquiries being made elsewhere, the DVDs could not be found. The investigating officer’s line manager was not aware of the procedure for reporting security breaches. As a result, the data controller was not aware that the DVDs had been lost until 12 August 2013.
The bases for the heavy fine were:
The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial
The failure to take appropriate organisational measures was likely to cause substantial distress to the victim who may know or suspect that her confidential and sensitive personal data has been disclosed to a recipient who has no right to see that
The victim was aware that the DVDs had been lost and was justifiably concerned that this could have jeopardised the prosecution thereby causing further distress to As a result, the victim had to endure a second interview with the police that had to be abandoned because she was so distressed. She also had to give evidence at the defendant’s trial which may have been curtailed If the DVDs had been in existence. It is still possible that the loss of the DVDs could affect the outcome of any appeal against conviction and/or sentencing by the defendants.
If the defendants’ conviction had failed as a result of the security breach, it was also likely that substantial damage would be caused to the victim who could have been intimidated, physically attacked or further abused by the
Further, the victim is likely to be distressed by justifiable concerns that her data may be further disseminated even if those concerns do not actually materialise. The DVDs have still not been recovered by the data
As a consequence the Information Commissioner found:
The Commissioner is satisfied that there has been a serious contravention of the Seventh Data Protection
In particular, the data controller failed to take appropriate organisational measures against the unauthorised processing and accidental loss of personal
Such measures might have included:
- Centralised storage of the DVDs/log;
- Usage procedures/log;
- Secure storage of master copies; and
- Regular training in relation to reporting procedures following a security
The Commissioner considers that the contravention is very serious because for some time, there has been an underlying failure by the data controller to put appropriate security measures In place for the unencrypted DVDs that were Intended for use in criminal proceedings. As a result, the only digital recording of an interview with the victim has been lost and could have been accessed by unauthorised third parties. This is unacceptable in view of the nature of the information contained in the DVDs which should have been afforded the highest levels of security.
In this case the Commissioner found that it was reasonable to expect that a contravention would occur when he stated:
The Commissioner is satisfied that section 55A(3) of the Act applies in that the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the
The Commissioner has taken this view because the Association of Chief Police Officers Issued guidance in 2007 (Digital Imaging Procedure) emphasising the need to store master copies securely. n addition, the Ministry of Justice Issued guidance in March 2011(Achieving Best Evidence in Criminal Proceedings) that it was an ‘essential’ requirement to have a policy on the storage of such
At the same time, the data controller had a policy in relation to the transfer of DVDs externally so that DVDs of particular sensitivity had to be stored in approved containers for transport between sites. The data controller also adhered to PACE 1984 in relation to the storage of DVDs containing video recordings of interviews with suspects. Therefore, the data controller must have been aware of the risks associated with such
In particular, the data controller was used to handling DVDs containing confidential and sensitive personal data during an investigation and was aware of Its importance in the subsequent prosecution by the
In the circumstances, the data controller knew or ought to have known that there was a risk that the contravention would occur unless reasonable steps were taken to prevent the contravention, such as those outlined. Further, it should have been obvious to the data controller who was aware of the graphic and distressing nature of the personal data contained in the DVDs that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the data subjects.
The aggravating factors the Commissioner took into account were:
Effect of the contravention
- The loss of the DVDs had the potential to interfere with the administration of justice.
- The DVDs have still not been found
Behavioural issues
- The data controller was not aware of security breach for nearly two years.
- The data controller has still not implemented a force wide policy for the storage and management of digitally recorded witness interviews
Impact on the data controller
The data controller is a public authority so liability to pay a monetary penalty will not fall on any individual.
The data controller has access to sufficient financial resources to pay the proposed monetary penalty without causing undue financial
There were some mitigating factors being:
Nature of the contravention
- No previous similar security breach that the Commissioner is aware of.
- DVDs were stored in a secure part of the police
- To the Commissioner’s knowledge, the DVDs have not been accessed or further disseminated
Behavioural issues
Extensive searches were made to locate the missing
Voluntarily reported to the Commissioner’s
Data controller has been co-operative with the Commissioner’s office.
Impact on the data controller
Significant impact on reputation of data controller as a result of this security breach.
Given the fine came in at £160,000 it is fair to say that the aggravating factors significantly outweighed those in mitigation.
[…] The Welsh police fined for data breach involving losing video recording used as part of evidence in … […]