West Midlands Police censured by information watchdog over data breach

Police

The information watchdog has censured West Midlands Police over a data breach involving the publication of a Criminal Behaviour Order.

The Information Commissioner said the breach had left members of the public exposed to potential risk.

The CBO was imposed on two people in March 2015. West Midlands Police officers decided to publicise the order via a leaflet. It outlined that the offences involved damaging property and threats of violence.

The leaflets were distributed in the area local to where the offences took place.

The CBO prohibited the offenders from entering certain areas of Birmingham and from associating with one another in these areas. This information was outlined in the leaflet.

The order also banned the offenders from contacting the victims of and witnesses to the offences.

Unfortunately, a version of the leaflet included this information, effectively revealing the names of the witnesses to the crime. This leaflet was distributed to approximately 30 homes in April 2015.

During the creation of the leaflet, a detailed risk assessment was completed by the police in relation to the use of photographs of the offenders.

The Information Commissioner said no equivalent risk assessment exists for victims or witnesses to an offence.

The victims and witnesses named in the leaflet subsequently complained to the police that the leaflets were distributed without their consent and knowledge, and left them at risk of intimidation or harm.

The police force explained to the Commissioner that the version of the leaflet naming the victims and witnesses was a draft, never intended for distribution.

The force also said that it intended to notify the victims and witnesses of the intention to distribute the leaflet.

The Commissioner said that while this was accepted, the expectation was that remedial action was taken to ensure the protection of personal data in similar circumstances.

The police force has subsequently compiled with the provisions of the Data Protection Act.

However, the Commissioner said that some of the data compromised was also information related to committal proceedings for an offence. Personal data containing such information is defined as ‘sensitive personal data’ under the DPA.

Following the force’s remedial action, the Commissioner said an Enforcement Notice was not warranted.

However, the force has been told that in future it must carry out risk assessments in relation to victims of, or witnesses to, offences for publicity material regarding CBOs.

Also, that victims of and witnesses to an offence are informed before such similar leaflets or publicity materials are published, and that the creation, approval and distribution of such publicity materials is to be documented.

Future processes for the creation of other publicity materials are to be reviewed to ensure that the processes comply with the DPA.

The Commissioner has also ruled that mandatory data protection training is to be given to all new members of staff, who have access to or otherwise process personal data for the force, on their induction.

This data protection training is also to be refreshed for all members of staff, who have access to or otherwise process personal data, on an annual basis.

The force has been given three months to implement these revisions.

Click here to sign up to receive our new South West business news...
Close