In recent weeks four police forces in the UK have made headline news because of failures to comply with requirements of the UK GDPR when preparing to respond to requests for information made under the Freedom of Information Act 2000.
As this post explains, these failures not only have the potential to damage the reputation of police forces, and traumatise affected individuals, but may even pose a risk to national security in the UK. It is therefore important to consider what went wrong and what lessons need to be learned both by UK police forces and other organisations with FOI responsibilities.
Four police-forces of the FOI disclosure apocalypse
Firstly, Norfolk and Suffolk police forces reported, in a joint statement, that a technical issue led to accidental disclosure of “raw data,” namely personal data of individuals connected to crimes e.g., victims, witnesses and suspects as well as descriptions of offences, in FOI responses to requests for crime statistics issued between April 2021 and March 2022. They stated that whilst 1,230 individuals were affected, the error related to a “very small percentage” of responses and that the data was ‘hidden’ from anyone opening the relevant files, but that they would nevertheless inform all affected individuals and set up a dedicated specialist team to handle any queries about this incident. They also indicated that they had made ‘strenuous efforts’ to determine if the data had been accessed by anyone outside of policing and had formed the view that there was no evidence to suggest that this was the case.
Secondly, Cumbria police force disclosed that it had accidentally published online the names, salaries and allowances, and position of all its employees (1,304 police officers, 756 staff members and 52 police community support officers) in March. The information was removed immediately after the breach was identified and the force contacted every affected person explaining that the impact of this breach was low as “only a handful of people had accessed the data.”
The most serious inadvertent disclosure, both in terms of the volume of data disclosed and potential security threat arising from it, was by the Police Service of Northern Ireland (PSNI) who confirmed that it had published data on 10,800 serving police officers and civilian staff, including those working as close protection officers safeguarding politicians and judges, and surveillance, undercover and intelligence roles e.g. MI5, in response to an FOI request from a member of the public asking, “Could you provide the number of officers at each rank and number of staff at each grade?” Like the other police forces, it published not only its response but the source data i.e., an excel spreadsheet containing the data it used to generate its answer, However, this excel sheet included additional, unneeded personal data, namely, the surnames and initials of current employees along with their work location and department. As the request was submitted via, www.WhatDoTheyKnow.com, a website that facilitates the submission of FoI requests, the response was published on that site and therefore publicly accessible (i.e., not limited to the original requestor). The data was accessible for approximately two and a half hours was accessed several times before being removed at the request of PSNI because it posed a risk to the safety and security of staff. The subsequent appearance of a redacted version of the data on a wall opposite the offices of the political party, Sinn Féin, was interpreted as a “very public indication” that dissidents had accessed the information when it was publicly available. Although a 50-year-old man was charged with possessing documents or records likely to be useful to terrorists eleven days after the disclosure, it is likely to prove impossible to ascertain whether other copies of the data remain in circulation.
The common element in the inadvertent disclosures
All the inadvertent disclosures occurred because of human error, and in some instances, error by more than one person. Indeed, whilst the PSNI disclosure was initially described as an error by a “junior employee” it later transpired that the response was initially received by the PSNI’s FOI team, which falls within the Corporate Information Branch, which in turn is part of the Operational Support Department. It also passed through the Human Resources Department and the PSNI’s Strategic Communications and Engagement Department, which is responsible for handling all media queries. That is, several people “signed off before it was uploaded – people who should have seen the potential for the disaster,” indicating systemic failure.
Lessons to be learned
These inadvertent data disclosures indicate that police forces in the UK, and other organisations with FOI responsibilities, need to review their practices for responding to FOI requests. They should start by recognising that preparing a response to a request may require them to access personal data, and they should comply with the UK GDPR when doing so. For example, a request for information on the number of staff employed in a particular role might require an FOI officer to ask the Human Resources department for information on all employees. In such instances, both HR and the FOI officer should be conscious of the data minimisation, storage limitation, and integrity and confidentiality principles. As it would not be necessary to retain the names of staff in any dataset compiled to determine the number of staff in particular roles, such information should be immediately deleted, thereby eliminating the risk of inadvertent disclosure.
Organisations with FOI responsibilities, including police forces, should also provide regular UK GDPR and FOI staff training to inform and advise them how to release data securely e.g. making staff aware that tabs in excel sheets need to be checked to ensure that they don’t contain additional information, and how to use redaction software instead of simply converting response documents from word or excel to .pdf format ahead of publication since the latter is not an effective solution because .pdf documents can easily be converted to other formats resulting in inadvertent disclosures.
The ultimate solution: collective responsibility
In summary, responding to FOI requests is often perceived to be a specialist task performed by appropriately qualified staff, but it should never be considered the responsibility of just one person, regardless of job title, because the response may be derived from personal data, in which case compliance with the UK GDPR requires a collective responsibility approach. That is, all staff involved in responding to FOI requests received by UK police forces, or other organisations with FOI responsibilities, have a duty to check each other’s work to ensure that a response does not include an inadvertent personal data disclosure.
Dr Karen Mc Cullagh, Lecturer in Law, UEA Law School, University of East Anglia.
Leave a Reply