Privacy watchdog the Information Commissioner’s Office (ICO) has been forced to fine another public sector body after a serious data breach – with South Wales Police on the receiving end this time.
The force lost unencrypted DVDs containing a highly sensitive video recording of an interview with a sex abuse victim.
The discs in question were left in a desk drawer in August 2011, and although the loss was discovered by staff after an office move two months later, it went unreported for two years due to poor training, the ICO said.
A second interview with the victim was not possible due to their distress, although in the end it didn’t affect the result of the investigation – with the defendants eventually convicted in court.
The police force had no policy to cover the secure storage of sensitive victim and witness interviews, the ICO said.
Assistant commissioner for Wales, Anne Jones, had the following stern words for South Wales Police in a prepared statement:
“The organization has failed to take all appropriate measures against the unauthorized processing and accidental loss of personal data. This breach is extremely serious and despite guidance from our office, the Ministry of Justice and Association of Chief Police Officers stating it is essential to have a policy on storing this sort of information they still haven’t fully addressed the issue.
“The monetary penalty given to South Wales Police should send a clear message that organizations have to take responsibility for personal data and the way in which it is stored.”
The force will not only have to pay the sizeable fine but also sign an undertaking to ensure that the appropriate policies as recommended by the ICO are implemented.
Nick Banks, EMEA vice president at IronKey by Imation, argued that people need to be able to trust that any personal data held by the police is securely managed and stored.
“On the plus side, it is gratifying to see that the ICO are using their powers to put penalties to those that breach data protection regulations,” he added. “This should be viewed as a clear warning to others that mismanagement and poor data security will not go unnoticed, and consequences are aplenty.”