UK Information Commissioner fines Kent Police for passing on a woman’s personal information to ex partner in domestic abuse case

April 21, 2016 |

The Information Commissioner has fined Kent Police £80,000 for providing the data contained in a woman’s mobile phone to her ex partner’s solicitor.  The solicitor disclosed that information to his client, the woman’s ex partner.  That person happened to be a member of the Kent Police.

On the technical side the case highlights how much information is stored on a smart phone.  It is now a mobile office.  In the United States of America that has raised the issue of whether a warrant should be obtained prior to accessing the detail as the Bill of Rights, under the 4th Amendment, provides for a right against unlawful search and seizure.  It also highlights the need for anyone obtaining a phone, computer or even USB stick that contains data to be aware that while one may be focused on one file or piece of data it is easy to provide more than that inadvertently.  That can, and does, give rise to privacy breaches.

The media release provides:

A police force has been fined after sensitive personal details of a woman who accused her partner of domestic abuse were passed to the suspect.

Kent Police handed the solicitor the entire contents of the complainant’s mobile phone.

The force has now been fined £80,000 for what an ICO investigation found to be a serious contravention of the Data Protection Act.

Stephen Eckersley, ICO Head of Enforcement, said:

“Kent Police was investigating a serious matter yet the need to take proper care of the personal details they were entrusted with does not appear to have been taken seriously.

“Today’s fine should serve as a warning to other forces that it is vital they have robust measures in place to protect individuals’ personal data and guard against such inappropriate disclosures.”

The complainant had given her phone to Kent Police because it contained a video recording she said supported her accusation against her partner, who was a police officer. Her phone also contained lots of other files, with sensitive personal data including text messages and family photographs.

The officer was subject to a professional standards investigation by Kent Police into misconduct. Kent Police sent the officer’s solicitor the data contained in the woman’s mobile phone by mistake in advance of the misconduct hearing. The solicitor then disclosed the information to his client.

An ICO investigation found that Kent Police had inappropriate security measures, and that it had committed a serious breach of the law, likely to have caused substantial distress.

The Monetary Penalty Notice  provides explanation of the basis for imposing a fine but in doing so provides guidance on what entities should do to properly maintain their own standards.  This is a flaw in the Australian system.  The Commonwealth Privacy Commissioner is very languid in his determinations and at a State level the Privacy/Data Protection Commissioners publish very little.  They work in the shadows.  That is a serious error of public policy.

The Monetary Penalty Notice relevantly provides:

9. An individual (“the data subject”) accused her partner, a serving police officer of Kent Police, (“the officer”) of domestic abuse. She alleged that she was physically assaulted and suffered criminal damage to her property.
10. The data subject had a video recording on her mobile phone to support the accusation. Her mobile phone held over 13,000 files, including details of the data subject’s divorce, texts and intimate photographs containing (sensitive) personal data, all unrelated to the data subject’s complaint about the officer.
11. The data subject gave her mobile phone to Kent Police who extracted the entire contents of the da ta subject’s mobile phone.
12. The master copy was not directly readable, so the files were copied onto two CDs: an edited working copy containing only the relevant video recording and a full working copy containing all the files extracted from the mobile phone (“the full working copy”).
13. The full working copy included “ unused” material in the criminal proceedings. Under the Criminal Procedures and Investigations Act 1996 (“CPIA”), the CPS may have to disclose such material to the defence if it undermines the prosecution case or assists the defence.
14. Subsequently, the data subject did not want to go to court and changed her mind about pursuing her complaint. The criminal proceedings were discontinued. The officer was then the subject of a misconduct investigation conducted by the Professional Standards Department.
15. On 12 February 2014, a manager empl oyed by Kent Police disclosed documents to the officer’s solicitor in advance of the misconduct hearing. However, the full working copy was also sent to the officer’s solicitor by mistake, as a result of inappropriate security measures.
16. The officer’s solicitor disclosed this information to his client who then saw the files that had been extracted from the mobile phone and informed the data subject accordingly. The officer’s solicitor has refused to return the full working copy on the grounds that it is relevant to his client’s defence.
17. The criminal proceedings were re-instigated and the officer was acquitted. However, the officer ha
s now been dismissed from Kent Police.

…………

21. Kent Police has accepted that the full working copy should not have been disclosed to the officer’s solicitor in these circumstances. The Commissioner finds that Kent Police did not have in place appropriate organisational measures for ensuring so far as possible that such incidents would not occur, i.e. for ensuring that data obtained from complainants (such as that obtained from the data subject’s phone in this instance) was only disclosed to other parties (such as the officer and/or his representatives) where it was lawfully, necessary and proportionate to do so.
22. In particular:
(a) Kent Police has in place a written procedure for how disclosures to defendants and their representatives should
be managed in criminal cases. It has no comparable procedure for misconduct cases. For such cases, it has no written procedures for distinguishing between disclosable evidence and material which is not to be disclosed.
(b) The person to whom Kent Police entrusted the disclosure
process was a hearings manager, who had an administrative role. That manager had no prior knowledge of these proceedings, and did not receive any (or any adequate) input, supervision or oversight from officers involved in the investigation (or others with similar experience) which would have enabled the hearings manager to distinguish between what was to be disclosed and what was to be withheld.
(c) Kent Police had in place no procedure for checking the contents of material prepared for disclosure prior to
disclosure taking place, even in cases involving highly sensitive personal information.
23. The above deficiencies constitute inadequacies in Kent Police’s organisational measures for preventing unauthorised disclosures of personal data. They constitute a contravention of the seventh data protection principle.
………..
34. In the circumstances, Kent Police ought reasonably to have known that there was a risk that this contravention would occur unless it ensured the process was governed by written procedures, undertaken by staff with appropriate experience and supervision, and that material was checked prior to disclosure.
35. Second, the Commissioner has consider ed whether Kent Police knew or ought reasonably to have known that the contravention would be of a kind likely to cause substantial distress. He is satisfied that this condition is met, given that Kent Police was aware of the sensitive material (including intimate photographs) that were held on the mobile phone. Kent Police ought to have known that the mobile phones of the average person (including this data subject) contained personal information of a very private and sensitive nature that would cause substantial distress if used in ways the data subject did not envisage.
36. Kent Police should also have known that inappropriate disclosures in the context of this relationship (the data subject as complainant against the officer, her former partner) and the seriousness of the allegations were likely to result in substantial distress if excessive and unauthorised disclosures of personal data took place.
37. Therefore, it should have been obvious to Kent Police that such a contravention would be of a kind likey to cause substantial distress to the data subject.
38. Third, the Commissioner has considered whether Kent Police failed totake reasonable steps to prevent the contravention. Again, he is satisfied that this condition is met. Reasonable steps in these circumstances would have entailed putting in place written procedures governing disclosures in misconduct cases, ensuring that appropriatelyxperienced and/or supervised staff undertook the disclosure process  and that the outcome of their work was checked by someone else before disclosure was undertaken. Kent Police did not take those steps. The Commissioner considers there to be no good reason for that failure.

One Response to “UK Information Commissioner fines Kent Police for passing on a woman’s personal information to ex partner in domestic abuse case”

  1. UK Information Commissioner fines Kent Police for passing on a woman’s personal information to ex partner in domestic abuse case | Australian Law Blogs

    […] UK Information Commissioner fines Kent Police for passing on a woman’s personal information to ex … […]

Leave a Reply





Verified by MonsterInsights