Police force fined £120,000 for data breach
ICO fines Greater Manchester Police after investigation prompted by stolen memory stick
Greater Manchester Police has been fined £120,000 by the Information Commissioner's Office (ICO) for failing to take appropriate measures against the loss of personal data.
An investigation into the force's data protection practices was launched after a memory stick containing personal details about thousands of people linked to police operations was stolen from an officer's home in July 2011. Despite the sensitive nature of the data, the device had no password protection.
The ICO discovered that a number of officers across Greater Manchester Police force regularly used unencrypted memory sticks. The USB devices may also have been used to copy data from police computers for officers to access away from the department.
This is despite a similar security breach in September 2010. As a result, the ICO concluded Manchester Police had failed to put restrictions on downloading information and that staff were not sufficiently trained in proper data protection.
The ICO has therefore used powers under the Data Protection Act to impose a Civil Monetary Penalty of £150,000 on Greater Manchester Police. The force paid the fine on Monday, resulting in a 20 per cent early payment discount.
"This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine," said ICO deputy commissioner David Smith.
"It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action."
"This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes," he concluded.
An ICO report recently concluded that the public sector was behind private organisations when it comes to data protection, a view which won't have been helped by this incident.