Cops and Robbers – GMP Fined for Theft of Memory Stick Containing Sensitive Personal Data

As you would expect, Greater Manchester Police has access to a wide range of sensitive personal data relating to police operations and criminal investigations.  You might not expect GMP to have a previous record of data protection breaches....and for it to be a repeat offender. 

In the most recent breach, GMP was found to have permitted its officers’ to utilise memory sticks in order to use GMP data at home/away from the office (a similar breach was also committed by GMP in 2010).  The memory sticks were not password protected, and in one instance, a memory stick containing details of over 1,000 people with links to serious crime investigations was stolen from a GMP officer’s house.

The ICO found that GMP staff were insufficiently trained in data protection matters and that GMP had failed to implement security measures to restrict information being downloaded from its IT systems.  The ICO has fined GMP £150k (this was reduced to a requirement to pay £120k in light of GMP’s agreement to make quick payment).

This case is incredibly concerning, not least due to:

  • Lessons not having been learned from the previous breach.
  • The wide range of sensitive personal data which GMP holds.
  • The harm that may potentially arise from the unauthorised use/access of data held by GMP.

The timing is extremely unhelpful for supporters of the draft Communications Data Bill (or ‘snooper’s charter’) which would give police forces’ greater access to data which is communicated through communications service providers (and social media networks in particular).

It's also a timely reminder of the important of getting data protection basics right:

  • Ensure that all staff are trained in the principles of data protection (and that the training is refreshed).
  • Ensure that appropriate security arrangements are in place in relation to the data that you hold and the harm that might be caused if the data is disclosed or accessed without authorisation (and that these arrangements are continually reviewed).
  • Ask common-sense questions about existing practices (e.g. if your practices were reported in the press, would they cause embarassment/reputational damage to your organisation) - if the answer is 'yes', escalate/report the issue and don't assume that somebody has already thought about it or dealt with it.
  • Uncontrolled use of memory sticks, failure to password protect documents and failure to encrypt portable devices is a key issue and one which continues to be the subject of ICO fines and undertakings - the ICO's guide on IT security for SME's is a very useful and practical starting point.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.