UK: ICO issues £150,000 monetary penalty to Dyfed-Powys Police over data protection breach
It’s one of those “small breaches, big potential harm situations.”
The Dyfed-Powys Police force has been fined£150,000 after an email containing information that could be used to identify eight sex offenders was sent to a member of the public in error.
The monetary penalty notice explains that the community member’s email address (an external email) was in an officer’s contact list in Outlook. The contact list was initially intended to be used for internal emails, and when the individual sent a series of emails that included information on eight registered sex offenders, it was sent to the list.
The recipient notified the sender of the error promptly, but there were a series of replies that were also sent to the community member. One of the factors the ICO considered in determining that a monetary penalty was appropriate was the fact that the police did not take remedial action until after 6 emails had been sent to the community member.
The information in the email contained names, addresses, telephone numbers, and email addresses and sufficient information for the recipient to infer that these eight people were sex offenders. Given the rural nature of the area and the kinds of information, the ICO determined that the risk of the recipient knowing the data subjects or being able to identify them would be high, and the distress to the data subjects would be great.
Those whose data were exposed were notified of the breach.