UK Police Aren't Doing Enough to Keep Personal Data Secure

UK police aren't up to speed on how to protect, store or handle sensitive data, raising concerns that it could spill into the public domain.

Jun 26 2014, 2:10pm
Officers with the West Midland Police. As the report was anonymous, it's not clear what police agencies were implicated. Image: West Midland Police/Flickr

UK police aren't up to speed on how to protect, store or handle sensitive data, raising concerns that it could spill into the public domain.

This is according to a new report by the Information Commissioner's Office (ICO)—an independent body set up to promote the openness of public bodies and data privacy for individuals. The audit looked at how 17 police forces stood up to six aspects of the Data Protection Act (DPA) between April 2013 and April 2014: data protection governance, records management, requests of personal data, security of personal data, training and awareness of staff around the DPA, and the sharing of data between agencies.

Of these aspects, the majority of the forces landed in the 'reasonable' or 'limited' ranking, with only one force hitting the 'high assurance' bracket across all of them. None of the forces were named.

An ICO spokesperson told me that, “Clearly, police forces handle sensitive personal data, and we all want to have confidence that information is being kept in line with the law. Our findings suggest that tends to be the case, with two thirds of the forces needing just a few improvements in the areas we audited.”

So the findings aren't going to have any agencies facing privacy overhauls any time soon. “But there’s no room for complacency,” the spokesperson continued. “The report contains a list of areas for improvement, and all forces would do well to read it.” 

Some of the recommendations shine a light on how cobbled together some of the police forces' systems for handling data are. The audit suggested the creation of “a location inventory of paper records,” to make sure that files aren't “being held in unknown, incorrect or disused locations.” In other words, there are UK police forces that don't even know where their paper records are stored. 

The ICO representative told me about a recent case concerning the Department of Justice Northern Ireland (DoJ NI).  A filing cabinet that was no longer needed by the department was sold at an auction. The cabinet, however, contained information about victims of a terrorist incident, including details on their families, the amount of compensation offered and confidential documents, running from the 1970s right up to 2005. Without greater tabs being kept on their records, police forces run the risk of doing something equally terrible for data protection.

The IPO's scorecard for 17 UK police agencies. Individual categories don't add up to 17 because ICO audits generally only rates an individual agency on three of the six categories at a time. Image: ICO

The ICO report found another lingering problem with how the police protect sensitive data: making sure that sensitive data stays within the boundaries of a secure computer network. The ICO recommends that police forces set up policies to “prevent users potentially plugging in and using a non authorised device on force system or downloading unauthorised content onto or from force networks,” meaning that—again—this isn't being done already.

If I had data about me stored on police computers, I would want to be sure that such data couldn't just be downloaded onto any staff member's USB stick and taken off the network, where any sensitive information could be spread.

“For instance, where forces allow staff to download content onto memory sticks and similar, they risk a similar breach to the one that saw Greater Manchester Police fined £150,000,” the ICO representative continued. Here they are referring to the case where a USB stick with unencrypted personal data was stolen from a police officers home in 2012. According to the latest report, some forces are setting the stage for something similar to happen.

As for who is responsible for making these changes, the ICO told me that each force is likely to have a staff member who looks over their handling of the Data Protection Act.

Overall, although the ICO report isn't damning, it does show that UK police forces have a long way to go until they can guarantee, or at least confidently claim, protection of sensitive data.