Peter A Clarke

Poor data handling policies can lead to very embarrassing outcomes, particularly when it results in the use of emails to transmit sensitive information.  A common form of data breach.  A police officer at Dyfed Powys used the internal email system on 18 June 2015 to send  emails to five internal recipients.  One of the emails contained a list of 8 registered sex offenders in Powys including their names, addresses, telephone numbers and email addresses.

The officer sent the email to a person outside the police service, in other words, outside the internal email system.  The recipient was a member of a community scheme, who notified the police of the error.

The Information Commissioner found that the list should not have been sent and regarding the internal controls stated, at [12] :

Dyfed-Powys Police failed to ensure that an internal e-mail address was the first entry in the global address

Dyfed-Powys Police failed to ensure that the global address book only contained internal e-mail addresses

Dyfed-Powys Police failed to provide officers with specific guidance or training on the importance of double checking that an e-mail address is correct before information is sent to a recipient

In considering the seriousness of the contravention he noted:

• “Dyfed-Powys Police’s failure to take adequate steps to safeguard against   unauthorised disclosure is serious having regard to the number of data subjects, the confidential and highly sensitive nature of the personal data and the potential consequences” [25]
• “The recipient of the e-mail could infer that the individuals on the list were sex offenders. Dyfed-Powys Police serves a large geographic area but mainly rural population, increasing the possibility that the recipient knew one or more of the sex offenders. E­ mail addresses can also be searched via social networks and search engine” [28]
• “The recipient of the e-mail could infer that the individuals on the list were sex offenders. Dyfed-Powys Police serves a large geographic area but mainly rural population, increasing the possibility that the recipient knew one or more of the sex offenders. E­ mail addresses can also be searched via social networks and search engine” [30]
• “..it is important to bear in mind that in 2008 a sex offender was killed in a vigilante attack unrelated to the data subjects” [32]

In terms of the forseeable consequences of the breach the Commissioner stated:

• Dyfed-Powys Police ought reasonably to have known that there was a risk that this contravention would occur unless it ensured the process of sending an e-mail from Outlook was governed by appropriate technical and organisational measures, particularly after five e-mails containing personal data had already been sent to AB in error [39]
• Dyfed-Powys Police was aware of the confidential and highly sensitive information that was contained in the e-mail. Therefore, it should have been obvious to Dyfed-Powys Police (who were fully aware of the risks to the safety of sex offenders living in the community) that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the data subjects [40]
• Reasonable steps in these circumstances would have included creating an internal e-mail address as the first entry in the global address book, monitoring the contents of the global address book and e-mail activity, advising police officers who make such errors and providing them with specific guidance or training on the importance of double checking that an e-mail address is correct before information is sent to a recipient. Dyfed-Powys Police did not take any of those steps. The Commissioner considers there to be no good reason for that failure [41]

It was a very serious breach and accordingly a stiff penalty of £150,000 was applied.