recent work

Gwent Police in breach of Data Protection Act

Information relating to approximately 10,000 people’s CRB checks was accidentally emailed by Gwent Police to a member of the public. A website journalist received the email after a member of staff copied them into the email. No criminal convictions were disclosed, and the nature of the information was not identifiable.

Gwent Police conducted an investigation into the error, concluding that the member of staff responsible for circulating the email was at fault, by failing to following the Force’s IT security policie.

Anne Jones, Assistant Commissioner for Wales, said:
“It is essential that staff are aware of and follow their organisation’s security policies. Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was

no password or encryption in place. We are pleased that Gwent Police has taken steps to prevent this happening again.”

Mick Giannasi, the then Chief Constable of Gwent Police, has signed a formal undertaking agreeing to put in place a number of steps to prevent a similar breach from happening again. The undertaking was agreed in August 2010. However, as disciplinary proceedings at Gwent Police were underway, the ICO did not publish the undertaking at that time.

Gwent Police will implement stricter rules to ensure that wherever possible information is accessed directly via secure databases and the use of generic passwords will stop. The undertaking also requires new technology to be brought in to prevent the inappropriate auto completion of addresses in internal and external email accounts.

A full copy of the undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems.

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.