Gwent Police has been found to have breached the Data Protection Act (DPA) after it accidentally emailed the results of 10,006 Criminal Reference Bureau (CRB) checks to a journalist.
A CID data management staff member at Gwent Police mistakenly copied the journalist, from online news site The Register, into an email that contained a spreadsheet of the CRB results. The IT staff member was using the auto-complete function in Novell’s email software and had intended to send the email to five police staff colleagues.
Although the Microsoft Excel file did not contain details of criminal convictions, and the information was not identifiable, 863 of the records highlighed incidents with the police, as well as providing full names, dates of birth and occupation.
The Register said that it had deleted the file after Gwent Police’s professional standards offices travelled to their London offices two days after being contacted.
The police force criticised the member of staff for sending the email without following its IT security policies around the importance of password protection and only sharing information when absolutely necessary.
Although Gwent Police have taken steps to avoid such a breach occuring again, Anne Jones, assistant commissioner for Wales, said: “Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place.”
The police force has agreed to implement stricter rules to ensure that wherever possible, information is accessed directly via secure databases, and to stop the use of generic passwords. It will also install new technology to prevent the inappropriate auto-completion of addresses in internal and external email accounts.
This data breach comes as the UK government announced the new Protection of Freedoms Bill, which Home Secretary Theresa May said will boost citizen's privacy rights and protect themfrom unwarranted state intrusion in their private lives.
For example, the Bill will see the deletion of DNA samples and fingerprints of innocent people from police database, and the extension of the scope of the Freedom of Information Act (FOI).
Christopher Graham, Information Commissioner, welcomed the Bill, saying that it addresses issues that the ICO has been concerned with for a long time.
“I support the Bill’s aims of strengthening privacy, delivering greater transparency and achieving improved accountability, as well as greater independence for the ICO.
“The detail of these important provisions will need careful consideration. The current proposals on improved regulation of CCTV and ANPR (Automatic Number Plate Recognition systems] are limited to the police and local government only but their use is much more widespread. We will be examining all of the Bill’s provisions closely to be satisfied that they will deliver in practice,” he said.