UK Information Commissioner reprimands West Midlands Police for data protection breach
March 5, 2024 |
Managing data when organisations are flooded with data is an ongoing challenge which can easily result in a data breach when that management fails. Misfiling documents in the analog era was common enough however the chance of that resulting in a privacy breach was far rarer than today with . The Information Commissioner has reprimanded the West Midlands Police for a data protection failure. The data breach resulted in one person with the same name receiving documentation intended for another. Given that one was a suspect in crimes and the other a victim of domestic violence this error was significant. As is usually the case, upon investigation the Commissioner found significant flaws in the way the WMP handled data and trained its officers. This is a typical problem. Data breaches often occur because there are inadequate processes and not much in the way of training.
The media statement provides:
The Information Commissioner’s Office (ICO) has issued a reprimand to West Midlands Police (WMP) after the force repeatedly mixed up two people’s personal information.
On numerous occasions throughout 2020, 2021 and 2022, WMP incorrectly linked and merged the records of two people with the same name and date of birth. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime, a breach of the Data Protection Act 2018.
This mix-up led to inaccurate personal information being processed and resulted in a catalogue of errors, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child.
WMP didn’t take steps to rectify the error quickly enough and there was a failure to stop the inaccurate linking of records reoccurring, both breaches of data protection law.
The ICO also found that there was a lack of regular data protection training and not enough was done to make employees aware of their responsibilities to report any inaccurate personal information.
David Doodson, Civil Investigations Group Manager at the ICO said:
“It is essential that police forces handle personal information with the utmost respect to maintain people’s trust and confidence in the police. Sharing the same name and birthday as someone else should not mean your personal information is jeopardised, especially given the sensitive nature of the information held.
“This case highlights the importance of training to ensure officers understand data protection law to avoid mistakes like this occurring again.”
WMP has since introduced a new data quality policy and produced a “Think before you link” campaign to help ensure accuracy, both steps the ICO has welcomed.
Recommendations made by the ICO, full details can be found online:
-
- Maintaining relevant records of its processing activities.
- Taking appropriate action to distinguish the records of the two individuals and prevent further inaccurate linking and merging of records containing personal data.
- Sharing learnings from security incidents across the organisation and reminding employees of relevant security policies.
- Ensuring employees attend mandatory data protection training in line with WMP policies, including implementing an appropriate action plan to improve completion rates of refresher data protection training.
Findings from the Reprimand are:
- this case relates to two individuals with the same name and date of birth, whose personal data is processed by WMP. As early as January 2020, WMP incorrectly linked and merged the records of these two individuals with similar personal data on multiple occasions.
- because of incorrectly linkage, inaccurate personal data was processed in a number of incidents, for example: where WMP officers attended the wrong individual’s address when attempting to locate the other individual for which they had serious safeguarding concerns relating to domestic violence; and attending the wrong individual’s child’s school when attempting to locate the other individual. These incidents included events where personal data was either actually or potentially inappropriately disclosed.
- WMP failed to demonstrate that they ensured the accuracy and security of personal data relating to the two individuals in this case.
- WMP do not hold adequate records of the incidents relating to the accuracy and security of these individuals’ personal data.
- WMP didn’t rectify the inaccurate personal data without delay. Where remedial actions were taken by WMP, such as adding a note to the relevant system warning officers of the two individuals with similar personal data, such actions failed to prevent the inaccurate linking of records recurring.
- due to the incorrect linking and merging of the two individuals’ records, WMP have not made a clear distinction, as far as possible, between the personal data of victims and suspects of crime.
- WMP failed to keep personal data secure in relation to the other incidents affecting these two individuals. Due to the lack of appropriate records WMP do not know whether personal data was disclosed, including information concerning criminal offences.
- WMP failed to implement appropriate technical and organisational measures to implement the data protection principles in an effective manner.
- WMP have not demonstrated that they provided employees with clear policies, procedures and training relating to use of the system. It had difficulty in providing an accurate figure of the number of employees who completed data protection training within the last two years, but estimate this is between 30 and 35%.
- the ICO recommended that WMP should:
- maintain relevant records of its processing activities and take steps to improve governance measures, including considering guidance on the ICO website: Accountability and governance
- take appropriate action to distinguish the records of the two individuals and prevent further inaccurate linking and merging of records containing personal data. This should include completing the technical changes needed to unmerge the records on the system in a timely manner.
- ensure learnings from security incidents are shared across the organisation and that employees are reminded of relevant security policies.
- ensure employees attend mandatory data protection training in line with WMP policies, including implementing an appropriate action plan to improve completion rates of refresher data protection training. WMP should also consider implementing clear policies, procedures and training that is specific to the use of the system.