From the Information Commissioner’s Office:
Greater Manchester Police has been fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post.
The force sent the unencrypted DVDs to the Serious Crime Analysis Section (SCAS) of the National Crime Agency by recorded delivery but they were never received. The DVDs, which showed named victims talking openly, have never been found.
An investigation by the Information Commissioner’s Office (ICO) found that Greater Manchester Police failed to keep highly sensitive personal information in its care secure and did not have appropriate measures in place to guard against accidental loss. This is a breach of data protection law.
Sally Anne Poole, ICO Enforcement Group Manager, said:
“When people talk to the police they have every right to expect that their information is handled with the utmost care and respect.
“Greater Manchester Police did not do this. The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious.
“Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise by failing to keep the information secure.”
The ICO investigation found that Greater Manchester Police had been sending unencrypted DVDs by recorded delivery to SCAS since 2009 and only stopped after the security breach in 2015.
The ICO previously fined GMP £150,000 in 2012 after an unencrypted USB stick was stolen.
Note that when I first saw this press release, I thought it might be referring to a 2014 incident involving victim video interviews, but this was a different incident that occurred in 2015. Certainly, though, there had been enough news coverage in 2014 about victim videos and the need to protect them properly that the GMP should have been on notice. As I wrote at the time of the 2014 incident involving the Crown Prosecution Service: this is the stuff (data protection) nightmares are made of.