A recent determination by the Information Commissioner’s Office (ICO) is another lesson about how sensitive information should be treated.
The ICO has fined The Greater Manchester Police (GMP) £150,000 for losing DVDs containing footage of interviews with victims of violent or sexual crimes in the post.
The GMP had sent three unencrypted DVDs, showing victims of sexual and violent crimes being interviewed. The DVDs were sent by recorded delivery and have never been found.
The ICO felt aggravating factors were that the information was extremely sensitive and the breach would cause distress to victims who had already endured distressing interviews.
At the time encryption was not an option for GMP. The DVDs were sent by ‘recorded’ delivery and not ‘special’ delivery. Special delivery tracks an item and recorded delivery only requires a signature by the recipient. The ICO considered the GMP failed to take reasonable steps to protect the confidentiality of the information when they sent the DVDs by recorded delivery instead of special delivery.
The ICO were scathing in their assessment of the force and said they were “cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”
The case is important because it shows the ICO is willing to take action and impose significant fines on organisations even if when the data was lost this was outside their control.
Lost in the post is not an excuse.
How can we help?
In Tughans we have a track record of assisting organisations respond to ICO investigations. We can also review and help prepare polices to prevent breaches happening in the first place.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.