ICO blog: Police collaboration unit failings should act as a warning to all

In the current climate of cuts to resources in the policing sector we are understandably seeing an increase in collaborative working. Whilst this can, in many cases, work well in practice and in fact be an effective solution to the problem of reducing resources, any collaborative unit needs to be set up properly at the outset, ensuring that appropriate safeguards are in place to protect any personal data that is being processed.

In practice this means that it should be clear what the purpose of the collaborative unit is, all parties involved should understand who is responsible for what and whose policies are being followed. Any staff working in a collaborative unit should have received data protection training and there should be adequate security in place which reflects the nature of the data being processed.

In terms of the police, it is fair to say that most of the information police forces process will be sensitive personal data and should therefore be afforded a higher level of protection. Force Information Security Officers and Data Protection Officers should be involved at the outset to ensure that adequate technical arrangements are in place and that any processing will be compliant with the Data Protection Act.

So what does happen when things go wrong?

We have been investigating a breach at the East Midlands Collaboration Unit and the failures we have uncovered have resulted in our office taking enforcement action against the Chief Constables of Leicestershire, Derbyshire and Nottinghamshire Police.

Our action is as a result of a number of unencrypted laptops, containing sensitive personal data, being stolen from an office in August 2010. Contained upon the laptops, amongst other things, was sensitive personal data relating to approximately 4,500 offenders from across the forces.

Our investigation found that there was no formal basis for the sharing of personal data within the unit and no apparent recognition that the police forces remained responsible for the data they were processing. In many cases it wasn’t clear why the information was needed in the first place and this was compounded by the fact that there was no clear identified purpose for the unit. While many of these issues have now been addressed, the lack of planning around the setup of the unit is concerning.

Clearly this incident shows that the forces failed to look after people’s data correctly, which is why three of the forces involved have been served with an enforcement notice committing them to ensuring that no personal data is shared with any other data controller as part of a collaborative project unless:

  1. A Senior Information Risk Owner (“SIRO”) has been appointed at the beginning of the collaborative project to oversee the work of the unit;
  2. The SIRO has risk assessed the vulnerability of premises to burglary and theft at the beginning of any collaborative project and has ensured appropriate security measures are taken to protect personal data;
  3. Laptop computers or other portable electronic storage devices or removable media used by officers working on collaboration projects are encrypted to protect any personal data processed on such devices;
  4. All such officers have received training on the security requirements of the Data Protection Act 1998.

We have raised our concerns with the Association of Chief Police Officers (ACPO) and, recognising the seriousness of the issue and the implications on a national scale, ACPO will be reviewing and updating guidance to police forces on collaborative working. We would expect all forces to have regard to this guidance, particularly in light of the action we have taken on this case.

We must not assume that the actions of the police forces linked to the East Midlands Collaboration Unit are a one off. We will continue to work with ACPO, the Home Office and police forces to provide advice to ensure that we do not see any further breaches of this nature and to reiterate the importance of getting it right from the outset.

Meagan MirzaMeagan Mirza is the Group Manager for the Public Security Team. Meagan’s team is responsible for engaging with and maintaining relationships with key stakeholders in the policing sector.

View a PDF of the Derbyshire Police Force enforcement notice
View a PDF of the Leicestershire Police Force enforcement notice
View a PDF of the Nottinghamshire Police Force enforcement notice

This entry was posted in Meagan Mirza and tagged , , , . Bookmark the permalink.