ICO (UK) - Thames Valley Police
| ICO - Thames Valley Police | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | S.40 Data Protection Act 2018 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 30.05.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Thames Valley Police |
| National Case Number/Name: | Thames Valley Police |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | At33 |
The Commissioner has issued a reprimand to Thames Valey Police (TVP) in accordance with Schedule 13(2)(c) of the Data Protection Act 2018 (DPA 2018) in respect of appropriate security principle infringements (Law Enforcement Directive case).
English Summary
Facts
TVP have inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness (the data subject). As a result of this incident, the data subject has moved address and the impact and risk to the data subject remains high.
Holding
This incident occurred because TVP did not have the appropriate organisational measures in place to ensure that their officers were aware of existing guidance around disclosure and redactions. TVP have been unable to evidence that the officer who responded to the information request from the housing authority had received redaction training or was aware of existing policies around sharing information. Further to this, there was no oversight of the redaction process as TVP thought that the officer in question had sufficient experience to complete the redactions.
The Commissioner has decided to issue a reprimand to TVP and further action is recommended to ensure compliance with the DPA2018.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 AND UK GENERAL DATA
PROTECTION REGULATION
REPRIMAND
The Information Commissioner (the Commissioner) issues a reprimand to
Thames Valey Police (TVP) in accordance with Schedule 13(2)(c) of the
Data Protection Act 2018 (DPA 2018) in respect of certain infringements
of the DPA 2018.
The reprimand
The Commissioner has decided to issue a reprimand to TVP in respect of
the following infringements of the DPA 2018:
• S.40 of the DPA 18 (Security) which states: The sixth data
protection principle is that personal data processed for any of the
law enforcement purposes must be so processed in a manner that
ensures appropriate security of the personal data, using appropriate
technical or organisational measures (and, in this principle,
“appropriate security” includes protection against unauthorised or
unlawful processing and against accidental loss, destruction or
damage).
The reasons for the Commissioner’s findings are set out below.
This investigation has found that TVP have inappropriately disclosed
contextual information that led to suspected criminals learning the
address of a witness (the data subject).
As a result of this incident, the data subject has moved address and the
impact and risk to the data subject remains high.
This incident occurred because TVP did not have the appropriate
organisational measures in place to ensure that their officers were aware
of existing guidance around disclosure and redactions. TVP have been
unable to evidence that the officer who responded to the information
request from the housing authority had received redaction training or was
aware of existing policies around sharing information.
Further to this, there was no oversight of the redaction process as TVP
thought that the officer in question had sufficient experience to complete
the redactions.
1Mitigating factors
In the course of our investigation we have noted that TVP do have
redaction training and policies in place that would have reduced the
likelihood of this incident from occurring, had they been followed.
However, the officer responsible for this incident was not aware of these
policies. This is because TVP do not proactively make their officers aware
of their policies but instead point their officers to a policy library as part of
an officers induction.
For example, a policy about evidence gathering and the need to protect
evidence and intelligence sources was provided by TVP. Within this policy
it instructs officers to meet with a supervisor of TVPs intelligence hub
before disclosing information about intelligence sources. However, this
officer responsible for this incident did not do this as they were not aware
of the policy or any existing guidance telling them to do so.
Remedial steps taken by TVP
The Commissioner has also considered and welcomes the remedial steps
taken by TVP in the light of this incident. In particular, the officer in
question has completed information management refresher training, TVP
operational guidance has been updated to provide more detail with when
information can be shared and an email has been sent that highlights
data sharing guidance. Further to this, policy documents have been
updated to provide greater detail on how, what and when to make
redactions.
While these are welcome remedial steps that have been taken by TVP, the
ICO would expect more to be done in an incident such as this. For
example, the completion of redaction training for officers who are
expected to complete redactions, as well as regular updates or awareness
sessions on policies.
Decision to issue a reprimand
Taking into account all the circumstances of this case, including the
mitigating factors and remedial steps, the Commissioner has decided to
issue a reprimand to TVP in relation to the infringements of S.40 of the
DPA 18 (Security) of the DPA 2018 set out above.
2Further Action Recommended
The Commissioner recommends that TVP should take certain steps to
ensure its compliance with DPA 2018. With particular reference to S.40 of
the DPA 18 (Security) of the DPA 2018, the following steps are
recommended:
1. TVP should consider providing redaction training to all staff
responsible for redactions and completing disclosures.
2. TVP should share any updates to policies or processes with officers
and members of staff as soon as they are available.
3. TVP should continuously review policies and guidance on the handling
of personal data (including disclosure, redactions etc), and update
these documents where necessary. Staff need to be reminded of
these regularly, and proactively updated as soon as they are
reviewed.
3
