ICO (UK) - Thames Valley Police

From GDPRhub
Revision as of 18:11, 2 June 2023 by At33 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Thames Valley Police |ECLI= |Original_Source_Name_1=ICO |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/reprimands/4025394/tvp-reprimand-20230530.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Origina...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Thames Valley Police
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
S.40 Data Protection Act 2018
Type: Investigation
Outcome: Violation Found
Started:
Decided: 30.05.2023
Published:
Fine: n/a
Parties: Thames Valley Police
National Case Number/Name: Thames Valley Police
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: At33

The Commissioner has issued a reprimand to Thames Valey Police (TVP) in accordance with Schedule 13(2)(c) of the Data Protection Act 2018 (DPA 2018) in respect of appropriate security principle infringements (Law Enforcement Directive case).

English Summary

Facts

TVP have inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness (the data subject). As a result of this incident, the data subject has moved address and the impact and risk to the data subject remains high.

Holding

This incident occurred because TVP did not have the appropriate organisational measures in place to ensure that their officers were aware of existing guidance around disclosure and redactions. TVP have been unable to evidence that the officer who responded to the information request from the housing authority had received redaction training or was aware of existing policies around sharing information. Further to this, there was no oversight of the redaction process as TVP thought that the officer in question had sufficient experience to complete the redactions.

The Commissioner has decided to issue a reprimand to TVP and further action is recommended to ensure compliance with the DPA2018.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 AND UK GENERAL DATA
                       PROTECTION REGULATION


                                REPRIMAND

The Information Commissioner (the Commissioner) issues a reprimand to
Thames Valey Police (TVP) in accordance with Schedule 13(2)(c) of the
Data Protection Act 2018 (DPA 2018) in respect of certain infringements

of the DPA 2018.

The reprimand


The Commissioner has decided to issue a reprimand to TVP in respect of
the following infringements of the DPA 2018:

   •  S.40 of the DPA 18 (Security) which states: The sixth data

      protection principle is that personal data processed for any of the
      law enforcement purposes must be so processed in a manner that
      ensures appropriate security of the personal data, using appropriate

      technical or organisational measures (and, in this principle,
      “appropriate security” includes protection against unauthorised or

      unlawful processing and against accidental loss, destruction or
      damage).


The reasons for the Commissioner’s findings are set out below.


This investigation has found that TVP have inappropriately disclosed
contextual information that led to suspected criminals learning the
address of a witness (the data subject).


As a result of this incident, the data subject has moved address and the
impact and risk to the data subject remains high.


This incident occurred because TVP did not have the appropriate

organisational measures in place to ensure that their officers were aware
of existing guidance around disclosure and redactions. TVP have been
unable to evidence that the officer who responded to the information

request from the housing authority had received redaction training or was
aware of existing policies around sharing information.


Further to this, there was no oversight of the redaction process as TVP
thought that the officer in question had sufficient experience to complete

the redactions.


                                      1Mitigating factors


In the course of our investigation we have noted that TVP do have
redaction training and policies in place that would have reduced the
likelihood of this incident from occurring, had they been followed.


However, the officer responsible for this incident was not aware of these
policies. This is because TVP do not proactively make their officers aware
of their policies but instead point their officers to a policy library as part of
an officers induction.


For example, a policy about evidence gathering and the need to protect
evidence and intelligence sources was provided by TVP. Within this policy
it instructs officers to meet with a supervisor of TVPs intelligence hub
before disclosing information about intelligence sources. However, this

officer responsible for this incident did not do this as they were not aware
of the policy or any existing guidance telling them to do so.

Remedial steps taken by TVP


The Commissioner has also considered and welcomes the remedial steps
taken by TVP in the light of this incident. In particular, the officer in
question has completed information management refresher training, TVP

operational guidance has been updated to provide more detail with when
information can be shared and an email has been sent that highlights

data sharing guidance. Further to this, policy documents have been
updated to provide greater detail on how, what and when to make
redactions.


While these are welcome remedial steps that have been taken by TVP, the

ICO would expect more to be done in an incident such as this. For
example, the completion of redaction training for officers who are
expected to complete redactions, as well as regular updates or awareness

sessions on policies.


Decision to issue a reprimand

Taking into account all the circumstances of this case, including the

mitigating factors and remedial steps, the Commissioner has decided to
issue a reprimand to TVP in relation to the infringements of S.40 of the

DPA 18 (Security) of the DPA 2018 set out above.




                                       2Further Action Recommended

The Commissioner recommends that TVP should take certain steps to

ensure its compliance with DPA 2018. With particular reference to S.40 of
the DPA 18 (Security) of the DPA 2018, the following steps are
recommended:

1.   TVP should consider providing redaction training to all staff

     responsible for redactions and completing disclosures.

2.   TVP should share any updates to policies or processes with officers
     and members of staff as soon as they are available.


3.   TVP should continuously review policies and guidance on the handling
     of personal data (including disclosure, redactions etc), and update
     these documents where necessary. Staff need to be reminded of
     these regularly, and proactively updated as soon as they are

     reviewed.





































                                      3