Tag: Police

Police Scotland Fined for Mishandling Alleged Victim’s Mobile Phone Data 

The Information Commissioner’s Office (ICO) has fined the Police Scotland £66,000 and issued a Reprimand for serious failures in the handling of sensitive personal data. 

Detective Constable Lianne Gilbert, who has now waived her right to anonymity, made domestic abuse allegations, including serious sexual assault, against another officer in 2020. However when a misconduct inquiry took place two years later, it emerged data extracted from Ms Gilbert’s phone was given to the accused officer, his lawyer and his Scottish Police Federation (SPF) representative. There were 40,000 pages of extracted data including 80,000 images, medical records and contact details of Ms Gilbert’s friends and family. Some of the images were of an intimate nature.  

Ms Gilbert has given her account to BBC Scotland News. She said: 

“It’s been absolutely horrific and very, very traumatic.” 

“At the time it happened I had a five-month-old baby. It’s really impacted my motherhood journey. At times I still feel quite numb.” 

It is important to note that the officer in question has not been charged with any offences against Ms Gilbert and the case remains live. 

UK GDPR Breaches 

The ICO investigation concluded that:  

a) Police Scotland failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data by the PSD for the purposes of compiling misconduct packs for disclosure as part of its investigations (Article 32(1) UK GDPR); 

b) These deficiencies put the personal data processed by the PSD at risk of unauthorised disclosure, in breach of the requirement to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (Article 5(1)(f) UK GDPR); 

c) Police Scotland failed, at the time of the determination of the means of processing and at the time of the processing itself, to implement appropriate technical and organisational measures designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the UK GDPR and protect the rights of data subjects (Article 25(1)-(2) UK GDPR); 

d) Police Scotland failed to ensure that the personal data processed by the PSD when compiling misconduct packs for disclosure was adequate, relevant and limited to what was necessary in relation to the purposes for which it was processing that data (Article 5(1)(c) UK GDPR); and 

e) Police Scotland failed to inform the Commissioner of the personal data breach within 72 hours of becoming aware of the same (Article 33(1) UK GDPR) 

In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. It initially concluded that a £132,000 fine would be effective, proportionate and dissuasive. However applying its controversial public sector approach to enforcement, it decided to reduce the amount by a factor of 50%. 

The Monetary Notice states that Police Scotland paid a sum of money (amount redacted) as compensation to Ms Gilbert. This may have been in anticipation of a civil claim by Ms Gilbert. Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. There may be more claims to come; no doubt amongst the data extracted (and shared) from Ms Gilbert’s phone there will have been personal data related to third parties. 

Part 3 DPA Reprimand 

The related reprimand was issued under Part 3 of the Data Protection Act 2018 (law enforcement processing). Police Scotland is a competent authority under Part 3 and was, according to the ICO, processing Ms Gilbert’s data for law enforcement purpose when it extracted the data. The ICO found that Police Scotland had infringed sections 35 and 37 of the DPA by failing to ensure that: 

a) The bulk download of personal data on the mobile phone of the Data Subject was lawful and fair (section 35 DPA); and 

b) The personal data processed from the mobile phone download was adequate, relevant and not excessive in relation to the purposes for which it was processed (section 37 DPA). 

The ICO initially considered that a fine would be appropriate for these DPA breaches, and considered notifying Police Scotland of its intention to impose a fine of £78,750. However, once again, due to the revised approach to public sector enforcement it decided a reprimand was more appropriate. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop and our Law Enforcement Data Processing workshop.

ICO Issues Two FOI Enforcement Notices

Under the Freedom of Information Act 2000, an Enforcement Notice may be served where the Information Commissioner is satisfied that a public authority has failed to comply with any of the requirements of Part I of the Act. If a public authority fails to comply with a Notice, the Commissioner may commence court proceedings under section 54 of the Act, which may be dealt with as contempt of Court.

The ICO recently served an Enforcement Notice on both Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust for their ongoing FOI failings which have seen hundreds of information requests go unanswered.

Devon and Cornwall Police

In 2023, as part of the ICO’s routine work to monitor public authorities’ compliance, the ICO found that between 2022 and 2024 the percentage of requests responded to by Devon and Cornwall Policewithin the statutory FOI timeframe (20 working days) was consistently low (between 39% and 65%). Their rate of response to internal review requests was also poor, averaging between 0% and 22%. The Force had a backlog of older FOI requests which had increased from 77 in December 2023 to 251 in June 2024.

The ICO Enforcement Notice orders the Force to devise and publish an action plan in the next 30 days which must detail how they will comply with their duties to respond to information requests in a timely manner. It has also been given six months to clear the existing backlog.

Barking, Havering and Redbridge Hospitals NHS Trust

The ICO first contacted the Trust in June 2023 due to a number of complaints received about its late compliance with FOI requests. The ICO found that, over 12 months, the Trust had only responded to 29% of requests during the statutory timeframe, with January 2024 seeing just 2.5% of requests responded to in a timely manner.

The Trust had a backlog of 589 requests in April 2024, which increased to 785 by June 2024. The ICO Enforcement Notice gives the Trust 35 days to devise and publish an action plan to clear this backlog by the end of the year.

Since last year, the ICO has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three other police forces for poor FOI performance which has led to significant backlogs in their responses.

Our FOI Intermediate Certificate strengthens the foundations established by our FOI Practitioner CertificateIt will help you become an adept FOI practitioner by delving deeper into the intricacies of the FOIA, equipping you with the skills and confidence to navigate its complexities.

FOI Enforcement Action Against the Police

Under section 10 of the the Freedom of Information Act 2000 (FOI) public authorities, have 20 working days to answer a request for information. Last week we wrote about a new report by openDemocracy, Transparency Under Threat: Monitoring FOI compliance in the UK, which claims that many authorities are consistently failing to comply with the statutory deadline. 

Since last year, the Information Commissioner’s Office (ICO) has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three police forces for poor FOI performance which has led to significant backlogs in their responses:

  • Dyfed Powys Police (DPP) – Compliance levels fell as low as 6% (June 2023) and the Information Commissioner received 13 complaints in 2023 in relation to timeliness of responses. By 9 November 2024, DPP is required to respond to all information requests which were outside of 20 working days when the Enforcement Notice was served on 9 May 2024.
  • Metropolitan Police Service (MPS) – Compliance levels were consistently low between 60% to 67% from April 2023 to February 2024. By 1 November 2024, MPS is required to respond to the backlog of 362 cases which were outside of 20 working days when the enforcement notice was served on 1 May 2024.
  • South Wales Police (SWP) – Compliance levels fell to 45% in July 2023 and as of 31 April 2024 167 requests were overdue, with one case being 122 days old. By 20 December 2024, SWP is required to respond to all information requests which were outside of 20 working days when the enforcement notice was served on 20 June 2024.

This and other FOI developments will be discussed in detail on our forthcoming FOI Update workshop.

Facial Recognition Technology and the Risk of Misidentification

In 2023 the Information Commissioner’s Office (ICO) launched an investigation into Facewatch, a company which provides live facial recognition technology (FRT) to the retail sector. Facewatch’s system scans people’s faces in real time as they enter a store and alerts if a “subject of interest” has entered. It is used in numerous stores in the UK, including Budgens, Sports Direct and Costcutter, to identify shoplifters. 

The ICO concluded its investigation by giving Facewatch the go ahead, even though in its letter (closing the investigation) it highlighted a number of breaches. Stephen Bonner, Deputy Commissioner for Regulatory Supervision, wrote in a blog post:

“Based on the information provided by Facewatch about improvements already made and the ongoing improvements it is making, we are satisfied the company has a legitimate purpose for using people’s  information for the detection and prevention of crime. We’ve therefore concluded that no further regulatory action is required.”

But FRT may have an accuracy issue. This weekend the BBC reported on a number of cases where FRT had misidentified people. “Sara” was wrongly accused of being a shoplifter after being flagged by the Facewatch system. She says after her bag was searched she was led out of the shop, and told she was banned from all stores using the technology.

The police are also increasingly using FRT it at live events as well as on the streets. Again not without problems. Civil liberty groups, such as Big Brother Watch, are worried that the accuracy of FRT is yet to be fully established. In February Shaun Thompson was approached at London Bridge by police using FRT and told he was a wanted man. He was held for 20 minutes and his fingerprints were taken. He says he was released only after handing over a copy of his passport. It was a case of mistaken identity. Big Brother Watch have launched a campaign, including taking legal action, to stop the use of FRT . 

The ICO’s has also expressed concerns about the use of FRT in the employment context as well as in schools. On 23rd February 2024, it issued Enforcement Notices to public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts under the UK GDPR. The notices required the organisations to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance. The ICO’s investigation found that Serco Leisure and the trusts had been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.

The ICO issued a letter, in January 2023, to North Ayrshire Council (NAC) following their use of FRT to manage ‘cashless catering’ in school canteens. The Financial Times reported that, “nine schools in North Ayrshire will start taking payments for school lunches by scanning the faces of pupils, claiming that the new system speeds up queues and is more Covid-secure than the card payments and fingerprint scanners they used previously.”

In 2019 the ICO published an Opinion on law enforcement use of LFR (Live Facial Recognition) This was followed in 2021 with an Opinion on the use of LFR in public places, setting out key requirements for those considering using this technology. 

Our forthcoming CCTV workshop is ideal for those who want to explore the GDPR and privacy issues around all types of CCTV cameras including those using FRT. 

ICO Announces £750K Potential Fine for Data Breach

The Information Commissioner’s Office has today announced that it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 for a personal data breach.

The proposed fine (Notice of Intent) relates to an incident  which occurred last summer. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours. At the time the breach was reported, Ibrahim Hasan gave an interview to BBC Radio Ulster (Listen here.)

The ICO says that the proposed fine could be imposed on the PSNI “for failing to protect the personal information of its entire workforce.” It has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate. 

The fact that the ICO is proposing a large fine is not surprising. The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. The PSNI has previously confirmed that the information was in the hands of dissident republicans, among others. 

It is important to note that this is not a fine. It is a ‘Notice of Intent’– a legal document that precedes a potential fine. Such a notice sets out the ICO’s provisional view which may of course change after PSNI makes representations. Remember we have been here before. In July 2018 British Airways was issued with a Notice of Intent, for cyber security breach, in the sum of £183 Million but the actual fine was for £20 million issued in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice.

PSNI has also been issued with a preliminary Enforcement Notice, requiring the Service to improve the security of personal information when responding to FOI requests.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also our Managing Personal Data Breaches Workshop.  

image credits: visitderry.com

Police Misuse of Body Worn Camera Footage 

Last week the BBC reported that police officers made offensive comments about an assault victim while watching body camera footage of her exposed body.  

The woman had been arrested by Thames Valley Police and placed in leg restraints before being recorded on body-worn cameras. While being transported to Newbury police station, she suffered a seizure which resulted in her chest and groin being exposed. A day later she was released without charge. 

A female officer later reviewed the body camera footage, which the force told Metro.co.uk was for ‘evidential purposes’ and ‘standard practice’. The BBC reports that three male colleagues joined her and made offensive comments about the victim.
The comments were brought to the attention of senior police officers by a student officer, who reported his colleagues for covering up the incident. The student officer was later dismissed; though the police said this was unrelated to the report. 

The policing regulator says Thames Valley Police should have reported the case for independent scrutiny. The force has now done so, following the BBC investigation. 

This is not the first time the BBC has highlighted such an issue. In September 2023 it revealed the findings of a two-year investigation. It obtained reports of misuse from Freedom of Information requests, police sources, misconduct hearings and regulator reports. It found more than 150 camera misuse reports with cases to answer over misconduct, recommendations for learning or where complaints were upheld. (You can watch Bodycam cops uncovered on BBC iPlayer) 

The most serious allegations include: 

  • Cases in seven forces where officers shared camera footage with colleagues or
    friends – either in person, via WhatsApp or on social media 

  • Images of a naked person being shared between officers on email and cameras used to covertly record conversations 

  • Footage being lost, deleted or not marked as evidence, including video, filmed by Bedfordshire Police, of a vulnerable woman alleging she had been raped by an inspector – the force later blamed an “administrative error” 

  • Switching off cameras during incidents, for which some officers faced no sanctions – one force said an officer may have been “confused”

Body worn cameras are used widely these days by not just police but also  council officers, train guards, security staff, and parking attendance (to name a few). 

There is no all-encompassing law regulating body worn cameras.  Of course they are used to collect and process personal data therefore will be subject to the UK GDPR. Where used covertly they also be subject to Regulation of Investigatory Powers Act 2000.  

The Information Commissioner’s Office (ICO) provides comprehensive guidelines on the use of CCTV, which are largely considered to extend to body worn cameras(BWCs) for security officers. There is a useful checklist on its website which recommends:  

  • Providing a privacy information  to individuals using BWCs, such as clear signage, verbal announcements or lights/indicators on the device itself and having readily available privacy policies. 
  • Training staff using BWV to inform individuals that recording may take place if it is not obvious to individuals in the circumstances. 
  • Having appropriate retention and disposal policies in place for any footage that is collected. 
  • Having efficient governance procedures in place to be able to retrieve stored footage and process it for subject access requests or onward disclosures where required. 
  • Using technology which has the ability to efficiently and effectively blur or mask footage, if redaction is required to protect the rights and freedoms of any third parties. 

Our one-day CCTV workshop will teach you how to plan and implement a CCTV/BWC project including key skills such as completing a DPIA and assessing camera evidence.
Our expert trainer will answer all your questions including when you can use CCTV/BWC, when it can be covert and how to deal with a request for images.  
 
This workshop is suitable for anyone involved in the operation of CCTV, BWCs and drones including DPOs, investigators, CCTV operators, enforcement officers, estate managers and security personnel. 

Another Day; Another Police Data Breach  

The largest police force in the UK, the London Metropolitan Police (also known as the London Met), has fallen victim to a substantial data breach. Approximately 47,000 members of the police staff have been informed about the potential compromise of their personal data. This includes details such as photos, names, and ranks. The breach occurred when criminals targeted the IT systems of a contractor responsible for producing staff identification cards.

While this breach has raised concerns about the security of sensitive information, it is important to note that details like identification numbers and clearance levels might have been exposed as well. However, it has been confirmed that the breached data did not include home addresses of the affected Met police personnel. There are fears that organised crime groups or even terrorist entities could be responsible for this breach of security and personal data.

Furthermore, the breach has amplified security apprehensions for London Met police officers from Black, Asian, and Minority Ethnic backgrounds. Former London Met Police Chief Superintendent Dal Babu explained that individuals with less common names might face a heightened risk. Criminal networks could potentially locate and target them more easily online, compared to those with common names. This concern is particularly relevant for officers in specialised roles like counter-terrorism or undercover operations.

Reacting to this situation, former Met commander John O’Connor expressed outrage, highlighting concerns about the adequacy of the cyber security measures put in place by the contracted IT security company, given the highly sensitive nature of the information at stake.

This incident presents a significant challenge to the UK Home Office, and it is likely that the government will be compelled to swiftly review and bolster security protocols. This step is necessary to ensure that the personal data of security service personnel is safeguarded with the utmost levels of privacy and data security. Both the Information Commissioner’s Office (ICO) and The National Crime Agency have initiated investigations.

This follows the data breach of the Police Service of Northern Ireland (PSNI) where, in response to a Freedom of Information request, the PSNI mistakenly divulged information on every police officer and member of police staff. Over in England, Norfolk and Suffolk Police also recently announced it had mistakenly released information about more than 1,200 people, including victims and witnesses of crime, also following an FOI request. Last week, South Yorkshire Police referred itself to the information commissioner after “a significant and unexplained reduction” in data such as bodycam footage stored on its systems, a loss which it said could affect some 69 cases.

These incidents underscore the urgency of maintaining robust data protection measures and raising awareness about potential risks, especially within law enforcement agencies. It also requires Data Controllers to ensure that they have processes in place to comply with the requirements of GDPR (Article 28) when it comes to appointing Data Processors.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

The Electoral Commission and PSNI: One Day, Two Data Breaches!

Yesterday two major data breaches were reported in the public sector. Both have major implications for individuals’ privacy. They are also a test for the Information Commissioner’s Office’s (ICO) approach to the use of its enforcement power.

In the morning, the Electoral Commission revealed, in a public notice issued under Article 33 and 34 of the UK GDPR, that it has been the victim of a “complex cyber-attack” potentially affecting millions of voters.
It only discovered in October last year that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.

The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.This includes those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters.  

The Commission said it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people. It has warned people to watch out for unauthorised use of their data. The ICO has issued a statement saying it is currently making enquiries into the incident.

And then late last night, and perhaps even more worrying for those involved, the Police Service of Northern Ireland apologised for a data breach affecting thousands of officers. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours.

The ICO has just issued a statement Cabinet Office the PSNI data breach. A few years ago such data breaches would attract large fines. In 2021 the Cabinet Office was fined £500,000 (later reduced to £50,000) for publishing postal addresses of the 2020 New Year Honours recipients online. In June 2022 John Edwards, the Information Commissioner, announced a new approach towards the public sector with the aim to reduce the impact of fines on the sector. This centred around issuing reprimands rather than fines for the public sector. Since then no public sector organisation has been fined despite some very serious data breaches. In May 2023, Thames Valley Police (TVP) were issued with a reprimand after an ICO investigation found that TVP had inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness (the data subject). As a result of this incident, the data subject moved address and the impact and risk to the data subject remains high.  Many data protection experts have expressed concern about the public sector’s special treatment. In relation to yesterday’s data breaches, anything other than serious enforcement action will lead to further questions for the ICO. 

The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. Had the breach included addresses, it would have been even more serious. Both these breaches are going to test the ICO’s public sector enforcement policy.

Ibrahim Hasan has given an interview to BBC Radio Ulster about the PSNI data breach. Listen here.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. Our Data Mapping workshop is proving very popular with IG and DP Officers who wish to develop this skill.