Between June 2011 and December 2015 there were at least 2,315 data breaches by police staff. Over 800 members of staff accessed personal information without a policing purpose and information was inappropriately shared with third parties on more than 800 occasions.
These figures are set out in a new report by Big Brother Watch entitled Safe in Police hands? [pdf]. A number of incidents show officers misusing their access to information for financial gain and passing sensitive information to members of organised crime groups.
The key findings of the report for the period 1 June 2011 to 31st December 2015 are
- There have been 2,315 breaches in police forces, including the following:
- 869 (38%) instances of inappropriate/unauthorised access to information
- 877 (38%) instances of inappropriate disclosure of data to third parties. 25 cases involved misuse of the Police National Computer
- 1283 (55%) cases resulted in no disciplinary or formal disciplinary action being taken.
- 297 (13%) cases resulted in either a resignation or dismissal.
- 70 (3%) cases resulted in a criminal conviction or a caution.
- 258 (11%) cases resulted in either a written or verbal warning
The findings of the report reveal a number of types of data breach from improper disclosure of information, accessing police systems for non-policing purposes, inappropriate use of data and accessing data for personal reasons.
Whilst there have been improvements in how forces ensure data is handled correctly Big Brother Watch suggests that the report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse.
With the potential introduction of Internet Connection Records (ICRs) as outlined in the Investigatory Powers Bill, the police will be able to access data which will offer the deepest insight possible into the personal lives of all UK citizens.
In light of this and the extended findings of the Report Big Brother Watch proposes five policy recommendations. These recommendations will address concerns we have with the increased levels of data the police will have access to, they also propose more stringent methods of dealing with data breaches including a move towards error reporting and notification for the individual whose data has been breached.
The recommendations are:
- The introduction of custodial sentences for serious data breaches.
- Where a serious breach is uncovered the individual should be given a criminal record.
- The mandatory reporting of a breach that concerns a member of the public.
- The removal of Internet Connection Records from the Investigatory Powers Bill.
- The adoption of the General Data Protection Regulations.