The UK’s police forces could do much better in terms of their compliance with the Data Protection Act, according to a new report from watchdog the Information Commissioner’s Office (ICO).
The ICO audited 17 police forces from April 2013 to April 2014, rating them in three of six scope areas as “high”, “reasonable”, “limited” or “very limited”.
These areas were: data protection governance; records management; requests for personal data; security of personal data; training and awareness; and data sharing.
Disappointingly, after combining their scores the ICO found that only one force was rated “high assurance”. The majority (59%) were appraised as “reasonable” and 35% came in as “limited assurance”.
The audit covered less than half of the 43 forces in England and Wales, but the results will still come as a concern to many, even if none were ranked in the lowest category of “very limited assurance”.
However, one force did have the dubious honor of scoring a “very limited” in the data sharing scope, while another was given the same black mark for records management.
Tellingly, the ICO released a long list of recommendations for areas of improvement covering data protection governance; records management; security of personal data; data sharing; and training and awareness.
Chris McIntosh, CEO of secure comms firm ViaSat UK, argued that the reports holds lessons to learn for all public sector bodies.
“Firstly, an organization is only as secure as its weakest link: if data is not adequately protected at any point of its existence, or if workers are not aware of the need for data protection and best practices, sensitive information will be constantly at risk,” he added.
“Secondly, organizations must evolve with the times: as records make the move from paper to digital, they must be certain that not only are they evolving their data protection processes to deal with new technology, but that in this evolution older data is not being left behind.”
Given the low levels of adherence to the DPA it’s perhaps not surprising that the ICO has had several brushes with the law in the past.
In 2010 it issued an enforcement notice against the Police Compliants Commission after it failed to respond to 69 FoI requests. A year later Gwent Police was taken to task after emailing thousands of personal details to a journalist.
The ICO is getting tougher on non-compliance now, having fined Kent Police £100,000 back in March after “highly sensitive and confidential information” – including interview tapes – were left in a basement at a former police station.