Greater Manchester Police hit with £150k fine for data breach

Greater Manchester Police has become only the second police force to be fined by the Information Commissioner’s Office for a breach of data protection laws.

The force was served with a £150,000 monetary penalty after the theft from an officer’s home of a memory stick containing details of more than 1,000 people with links to serious crime investigations compiled over an 11-year period. The memory stick had no password protection.

None of the items stolen in the burglary in July 2011 have been recovered to date.

An investigation by the watchdog found that the officer used a personal USB stick to download information from his folder on the shared drive of the force’s network which was subject to access controls.

The information was downloaded to create a backup of his folder and to enable the officer to access information when he was out of the office or at another site.

The officer had been issued with an unencrypted stick by the force in 2003/04 but he replaced it himself when the memory was full with a stick with a larger capacity.

The investigation also found that at the time of the security breach a number of officers across Greater Manchester Police regularly used unencrypted memory sticks and that these may also have been used to copy data from police computers for access away from the office.

A chief constable’s order issued in September 2010 – following a similar breach (not involving sensitive personal data) – ordered all staff to use encrypted USB sticks issued by the force. However, the ICO understood that the officer in question was on leave at the time and that he had never had any specific training on data protection.

The investigation also concluded that the order was not effectively enforced and no further steps were taken to prevent the use of USB sticks other than encrypted ones the force had issued.

Following the breach, Greater Manchester Police held an amnesty to recover personal and/or unencrypted devices. This saw around 1,100 such USB sticks recovered. The ICO said it was still possible that some devices had not been recovered.

The force has now implemented endpoint security, which prevents any download of information to unauthorised USB devices.

In deciding the level of the fine, the ICO took into account the fact that the force had voluntarily reported the breach and had fully cooperated subsequently. There was also no evidence that the personal data had been inappropriately processed.

Greater Manchester Police has taken advantage of a 20% early payment discount, which means the fine has come down to £120,000.

David Smith, ICO Director of Data Protection, said: “This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine. 
 

“It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action. 

“This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.”

Assistant Chief Officer Lynne Potts of the GMP said: "The force is aware of the decision of the ICO to impose a monetary penalty for the data loss following a burglary at the home of a serving officer last year.

"This was very much an isolated incident. We take all matters relating to the storage of data extremely seriously and have stringent measures in place to ensure the safe storage of data."

Lancashire Constabulary was the first police force to be hit with an ICO fine in March this year.

The watchdog levied a £70,000 penalty after a missing person’s report relating to a 15-year-old girl in foster care was found in a street in Blackpool by a member of the public.

Philip Hoult