The Information Commissioners Office (ICO) has hit Greater Manchester Police with a £150,000 fine after a data loss incident. This fine was later reduced to £120,000 after the ICO granted them a twenty per cent discount for early payment.
Data belonging to over 1,000 people with links to serious crime investigations had been saved on a memory stick and was taken home by a detective. In July 2011, the detective’s home was broken into and his wallet which contained the memory stick and his car keys were stolen.
During the ICO’s investigation into the incident, it was revealed that Greater Manchester Police hadn’t acquitted themselves very well at all as data protection procedures were nowhere near the required level.
The data that was on the memory stick was in an unencrypted format and wasn’t even password protected. As there was no security measure taken place, the data on the memory stick could easily fall into the wrong hands and be readily accessible.
The ICO investigation team concluded that Greater Manchester Police staff hadn’t been significantly trained in data protection and this is despite a similar data loss incident that occurred in 2010. Surely after the incident in 2010 would have resulted in more stringent measures being put in place and enforced but obviously this wasn’t the case and confidential data has been put at unnecessary risk.
David Smith who is the ICO Director of Data Protection stated, “This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine. It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action. This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.”
Assistant chief constable Lynne Potts later claimed, “This was very much an isolated incident. We take all matters relating to the storage of data extremely seriously and have stringent measures in place to ensure the safe storage of data.”
With the ICO now issuing such fines, it does make you wonder why data is still being put at an unnecessary risk. There are a number of basic security measures that can be employed such as encrypting the data which can help to reduce the impact if devices such as memory sticks are lost or stolen.