User menu

Welsh police force fined for sexual abuse case data breach

The ICO has issued South Wales Police with a £160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case.

The DVDs contained film of an interview with a victim, who had been sexually abused as a child. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer.

The recorded interview took place in August 2011 and the loss was discovered by staff after an office move in October 2011 but the security breach then went unreported for nearly two years due to lack of training. Although the DVDs were stored in a secure part of the police station, South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.

A second interview had to be abandoned due to the victim’s distress and the DVDs have still not been recovered. The defendants were eventually convicted in court.

Anne Jones, Assistant Commissioner for Wales said: “Without any doubt we would expect a professional police force, in a position of trust, dealing with this type of highly sensitive information from victims and witnesses on a daily basis to have robust procedures to keep track of the personal data in their care.

“The organisation has failed to take all appropriate measures against the unauthorised processing and accidental loss of personal data. This breach is extremely serious and despite guidance from our office, the Ministry of Justice and Association of Chief Police Officers stating it is essential to have a policy on storing this sort of information they still haven’t fully addressed the issue.

“The monetary penalty given to South Wales Police should send a clear message that organisations have to take responsibility for personal data and the way in which it is stored.”

In addition to the monetary penalty, the Information Commissioner has asked the police force sign an undertaking to ensure the changes are made to implement policies to stop any incidents happening again.

 

Notes

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  1. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO is on TwitterFacebook and LinkedIn. Read more in the ICO blogand e-newsletter.Our Press Office page provides more information for journalists.
  1. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection