Police fined £100,000 for data breaches

Posted: 31st March 2014

PoliceA police force which left a number of highly sensitive tapes and documents unattended in the basement of a disused police station has been fined £100,000 by the Information Commissioner.

The material had been accidentally abandoned by Kent Police when the former police station – which had been unoccupied for over three years – was sold to a private company. It included confidential and highly sensitive data relating to rape, child abuse and other serious investigations as well as interviews with witnesses, suspects and informants and private details relating to police staff.

The force’s chief constable owed duties as ‘data controller’ under Section 4(4) of the Act but the Commissioner noted that it was not clear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. The lack of documented procedures was exacerbated by a breakdown in communication between different departments involved in the long process of decommissioning the building.

In setting the level of the penalty, the Commissioner noted that the maximum fine available in such a case was £500,000. Procedures had subsequently been implemented to guard against a recurrence and the force had fully co-operated in the investigation.

The breach was nevertheless serious and, in the absence of any sufficient safeguards, the data controller should have realised that there was a risk of contravention. In the circumstances, a £100,000 penalty was ‘reasonable and proportionate’.