ICO (UK) - Chief Constable West Midlands Police

From GDPRhub
Revision as of 07:56, 10 May 2024 by Im (talk | contribs)
ICO - Chief Constable West Midlands Police
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 34(3) GDPR
Article 38(1) GDPR
Article 38(3) GDPR
Article 40 GDPR
Article 57(1) GDPR
Type: Other
Outcome: n/a
Started: 16.01.2024
Decided: 01.03.2024
Published: 01.03.2024
Fine: n/a
Parties: West Midlands Police
National Case Number/Name: Chief Constable West Midlands Police
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: Mgrd

ICO has issued a reprimand to West Midlands Police after the force repeatedly mixed up two data subject's personal information, violating several articles of UK GDPR.

English Summary

Facts

On numerous occasions throughout 2020, 2021 and 2022, West Midlands Police (WMP), a large regional police force, incorrectly linked and merged the records of two data subjects with the same name and date of birth on multiple occasions. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime. This led to inaccurate personal data being processed on WMP’s systems and resulted in a number of incidents, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child.

On 12 July 2022, WMP sent a letter to one individual that was intended for the other, disclosing that they had been a victim of an assault. At this time, the recipient was aware of the data accuracy issue on WMP’s systems and that this letter related to an individual who shares their name and date of birth and lives in the local area.

Holding

ICO found that WMP did not take steps to rectify the error quickly enough and there was a failure to stop the inaccurate linking of records reoccurring, both breaches of data protection law. Considering the security incident, WMP have failed to demonstrate that they have kept personal data secure in relation to the other incidents affecting these two individuals. Due to the lack of appropriate records of these incidents, WMP do not know whether personal data was disclosed, including information concerning criminal offences.

Also, WMP failed to demonstrate that they have ensured the accuracy and security of personal data relating to the two individuals in this case. WMP did not hold adequate records of the incidents relating to the accuracy and security of these individuals’ personal data.

The ICO found that there was a lack of regular data protection training and not enough was done to make employees aware of their responsibilities to report any inaccurate personal information.

For this reason, ICO issued a reprimand to Chief Constable West Midlands Police (WMP), for violating Articles 34(3), 38(1)(3), 40 and 57(1)(2) of UK GDPR.

ICO also recommended that WMP should take certain steps to ensure its compliance with the UK GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 AND UK GENERAL DATA
                       PROTECTION REGULATION


                               REPRIMAND

TO: Chief Constable West Midlands Police

OF: PO Box 52, Lloyd House, Colmore Circus Queensway,

Birmingham, B4 6NQ

1.1 The Information Commissioner (the Commissioner) issues a
reprimand to Chief Constable West Midlands Police (WMP) in accordance

with Schedule 13(2)(c) of the Data Protection Act 2018 (DPA 2018) in
respect of certain infringements of the DPA 2018.

The reprimand


1.2 The Commissioner has decided to issue a reprimand to WMP in
respect of the following infringements of the DPA 2018:

   •  Sect ion 34(3) which states “The controller in relation to personal
      data is responsible for, and must be able to demonstrate,

      compliance with this Chapter.”

   •  Section 38(1) which states “The fourth data protection principle is
      that - (a)personal data processed for any of the law enforcement

      purposes must be accurate and, where necessary, kept up to date,
      and (b)every reasonable step must be taken to ensure that personal
      data that is inaccurate, having regard to the law enforcement
      purpose for which it is processed, is erased or rectified without
      delay.”


   •  Section 38(3) which states “In processing personal data for any of
      the law enforcement purposes, a clear distinction must, where
      relevant and as far as possible, be made between personal data
      relating to different categories of data subject, such as - (a)persons

      suspected of having committed or being about to commit a criminal
      offence; (b)persons convicted of a criminal offence; (c)persons who
      are or may be victims of a criminal offence; (d)witnesses or other
      persons with information about offences.”


   •  Section 40 which states “The sixth data protection principle is that
      personal data processed for any of the law enforcement purposes
      must be so processed in a manner that ensures appropriate security
      of the personal data, using appropriate technical or organisational

      measures (and, in this principle, “appropriate security” includes
      protection against unauthorised or unlawful processing and against


                                      1      accidental loss, destruction or damage).”

   •  Section 57(1) which states “Each controller must implement

      appropriate technical and organisational measures which are
      designed - (a)to implement the data protection principles in an
      effective manner, and (b)to integrate into the processing itself the
      safeguards necessary for that purpose.”


1.3 The reasons for the Commissioner’s findings are set out below.

1.4 This case relates to two individuals with the same name and date of
birth, whose personal data is processed by WMP, which is a large regional

police force. Since as early as January 2020, WMP incorrectly linked and
merged the records of these two individuals with similar personal data on
multiple occasions. This led to inaccurate personal data being processed
on WMP’s systems and resulted in a number of incidents, for example:
where WMP officers attended the wrong individual’s address when

attempting to locate the other individual for which they had serious
safeguarding concerns relating to domestic violence; and attending the
wrong individual’s child’s school when attempting to locate the other
individual. These incidents included events where personal data was
either actually or potentially inappropriately disclosed.


Section 34(3)

1.5 WMP failed to demonstrate that they have ensured the accuracy and

security of personal data relating to the two individuals in this case. WMP
do not hold adequate records of the incidents relating to the accuracy and
security of these individuals’ personal data. The Commissioner found that
this had a negative impact on WMP’s ability to monitor and rectify non-
compliance with the data protection principles.


Section 38(1)

1.6 On numerous occasions throughout 2020, 2021 and 2022,
information relating to one individual was incorrectly linked to the other

individual’s record. Due to inadequacies in WMP’s record keeping and
incident management, the number of times incorrect linking occurred and
the durations for which such inaccuracies were present on WMP’s systems
are unknown. The full impact of the processing of inaccurate personal
data is also not known to WMP. The true number of times officers

attended the incorrect individual’s address (or child’s school) is unknown,
although there are at least four dates where there are suggestions this
may have occurred.


1.7 WMP are unable to demonstrate that inaccurate personal data was
rectified without delay. Where remedial actions were taken by WMP, such


                                      2as adding a note to the relevant system warning officers of the two
individuals with similar personal data, such actions failed to prevent the
inaccurate linking of records recurring.


1.8 Following the launch of the “         ” system in April 2021, and again
in January 2022 following t he launch of the “         ” system, the records
of the two individuals were incorrectly merged. WMP unmerged the
records on the           system, however are unable to unmerge the

records on the           system, resulting in the ongoing processing of
inaccurate personal data relating to the two individuals.

Section 38(3)


1.9 In this case, one of the individuals is known to WMP as the victim of a
crime whereas the other individual has been known to WMP as both a
suspect and a victim. Due to the incorrect linking and merging of the two
individuals’ records, WMP have not made a clear distinction, as far as

possible, between the personal data of victims and suspects of crime, as
is required.

Section 40


1.10 On 12 July 2022, WMP sent a letter to one individual that was
intended for the other, disclosing that they had been a victim of an
assault. At this time, the recipient was aware of the data accuracy issue
on WMP’s systems and that this letter related to an individual who shares

their name and date of birth and lives in the local area.

1.11 In addition to the above security incident, WMP have failed to
demonstrate that they have kept personal data secure in relation to the
other incidents affecting these two individuals. Due to the lack of

appropriate records of these incidents, WMP do not know whether
personal data was disclosed, including information concerning criminal
offences. WMP have assessed that, on the balance of probabilities, the
security of information relating to criminal offences was affected by the
relevant incidents.


Section 57(1)

1.12 The Commissioner found that WMP failed to implement appropriate
technical and organisational measures to implement the data protection

principles in an effective manner.

1.13 As  outlined above, WMP consider one merging of the individuals’
records to have been the result of the implementation of the

system. The testing and risk assessment of the             system carried
out by WMP failed to prevent the inaccurate merging of records of the two


                                      3individuals or identify the need for a manual editing tool, enabling such
records to be separated on the system. Since the need for a manual
editing tool has been identified, the development of this tool has not

progressed in a timely manner, meaning WMP have been unable to rectify
inaccurate personal data without delay.

1.14 WM  P have not demonstrated that they provided employees with
clear policies, procedures and training relating to use of the

system. Regarding mandatory data protection training, the Commissioner
notes that WMP reported difficulty in providing an accurate figure of the
number of employees who completed data protection training within the
last two years, but estimate this is between 30 and 35%. Additionally,

due to inadequate records of the incidents relevant to this case, WMP are
unable to identify the employees involved in all but one of the incidents,
meaning they are unable to direct those employees to complete refresher
training following their involvement in an incident, as is required by WMP
policy.


1.15 The Commissioner also found that WMP did not do enough to make
employees aware of their responsibility to report inaccurate personal data
identified on WMP’s systems to the Information Management team.


Mitigating factors

1.16 In the course of our investigation we have noted that WMP provided
one of the affected individuals with compensation and a letter to help

them address similar data accuracy issues occurring with other
organisations.

Remedial steps taken by WMP


1.17 The Commissioner has also considered and welcomes the remedial
steps taken by WMP in the light of this incident. In particular, WMP
produced a new Data Quality Policy and carried out a “Think before you
link” communications campaign, which reminded employees to ensure
links between connected individuals are accurate.


1.18 It is noted that WMP repeatedly manually unlinked the records of the
two individuals and added notes to the relevant systems regarding the
similar personal data. However, these remedial actions were ineffective in
preventing future incidents and ensuring compliance with the data

protection principles.

Decision to issue a reprimand


1.19 Taking into account all the circumstances of this case, including the
mitigating factors and remedial steps, the Commissioner has decided to


                                      4issue a reprimand to WMP in relation to the infringements of sections of
the DPA 2018 set out above.


1.20 WMP were invited to provide representations, which were submitted
to the ICO on 16 January 2024 and are summarised below.

Further Action Recommended


1.21 The Commissioner has set out below certain recommendations which
may assist WMP in rectifying the infringements outlined in this reprimand
and ensuring WMP’s future compliance with the DPA 2018. Please note
that these recommendations do not form part of the reprimand and are
not legally binding directions. As such, any decision by WMP to follow

these recommendations is voluntary and a commercial decision for WMP.
For the avoidance of doubt, WMP is of course required to comply with its
obligations under the law.


1.22 If in the future the ICO has grounds to suspect that WMP is not
complying with data protection law, any failure by WMP to rectify the
infringements set out in this reprimand (which could be done by following
the Commissioner’s recommendations or taking alternative appropriate
steps) may be taken into account as an aggravating factor in deciding

whether to take enforcement action - see page 11 of the Regulatory
Action Policy and section 155(3)(e) DPA 2018.

1.23 The Commissioner recommends that WMP should take certain steps
to ensure its compliance with the DPA 2018. The following steps are

recommended:

1.   In order to ensure compliance with section 34(3) WMP should
     maintain relevant records of its processing activities and take steps
     to improve governance measures, including considering guidance on

     the ICO website: Accountability and governance

2.   In order to ensure compliance with sections 38(1) and 38(3) WMP
     should take appropriate action to distinguish the records of the two

     individuals and prevent further inaccurate linking and merging of
     records containing personal data. This should include completing the
     technical changes needed to unmerge the records on the
     system in a timely manner.


3.   In order to ensure compliance with section 40 WMP should ensure
     learnings from security incidents are shared across the organisation
     and that employees are reminded of relevant security policies.

4.   In order to ensure compliance with section 57(1) WMP should ensure

     employees attend mandatory data protection training in line with


                                      5     WMP policies, including implementing an appropriate action plan to
     improve completion rates of refresher data protection training. WMP
     should also consider implementing clear policies, procedures and

     training tat is specific to the use of the       system.

1.24 On 16 January 2024, WMP submitted representations to the ICO
advising the Commissioner of progress that has been made in respect of
the above recommendations:


   •  The Commissioner recognises that WMP have made improvements
      in relation to recommendation 1 and implemented new
      accountability and governance measures.


   •  In respect of above recommendations 2 and 3, the Commissioner
      considers that these recommended steps have been completed.

   •  In respect of the relevant trainings in place, during representations
      WMP advised that training is provided prior to employees being

      granted access to new sy stems, including the          and
      systems. The Commissioner also acknowledges that WMP has made
      progress regarding recommendation 4, including reviewing relevant
      trainings and developing an action plan to improve completion rates
      of refresher data protection training.


1.25 We invite WMP to provide a further progress update on the above
recommendations in six months of the date of this reprimand.




























                                     6