UK: Around 10,000 CRB background checks land in the wrong inbox
Gwent Police is taking remedial action after the Information Commissioner’s Office (ICO) found it in breach of the Data Protection Act for accidentally emailing results of Criminal Reference Bureau (CRB) checks performed by the force to a member of the public.
An email containing a spreadsheet of the results of around 10,000 CRB enquiries was mistakenly sent to a website journalist when a staff member at Gwent Police inadvertently copied the wrong person into the email. 863 of the records indicated that the individual had personal information recorded but no details of criminal convictions were disclosed and the nature of the information was not identifiable.
A subsequent investigation conducted by Gwent police criticised the member of staff responsible for circulating the email after the individual failed to follow the force’s IT security policies regarding the importance of password protection and only sharing information that is absolutely necessary.
Anne Jones, Assistant Commissioner for Wales, said:
“It is essential that staff are aware of and follow their organisation’s security policies. Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place. We are pleased that Gwent Police has taken steps to prevent this happening again.”
The undertaking was agreed in August 2010. However, as disciplinary proceedings at Gwent Police were underway, the ICO did not publish the undertaking at that time.
Mick Giannasi, the then Chief Constable of Gwent Police, has signed a formal undertaking agreeing to put in place a number of steps to prevent a similar breach from happening again. Gwent Police will implement stricter rules to ensure that wherever possible information is accessed directly via secure databases and the use of generic passwords will stop. The undertaking also requires new technology to be brought in to prevent the inappropriate auto completion of addresses in internal and external email accounts.
A full copy of the undertaking can be viewed here:
Source: Information Commissioner’s Office