It is noteworthy that, once again, the ICO continues with a soft touch, implementing a revised approach to the public sector, on this occasion issuing a reprimand to both Surrey and Sussex Police, suggesting that large fines could lead to reduced budgets.
Aside from the fact that most businesses are currently operating in a financially constrained area, it is disappointing to see the Regulators failing to apply any penalties in an even-handed fashion, particularly given the sensitive nature of the data that is being handled.
In this case, more than 200,000 calls have been recorded, without the knowledge of the member of public. Moreover, it appears that this was also without the knowledge of the Police Officers. The very nature of calls to the Police, which may have included domestic violence or child protection issues for example, require that such data should be handled with utmost care. Yet it appears that this data has been collected over a period of up to 4 years.
Across the 2 Police Forces, 1015 staff have downloaded an app which has automatically saved calls; there are many questions about potential systemic failings that have enabled staff to access, download and use an app over such an extended period. This demonstrates a complete failure to implement Data Protection by Design, and also that the two forces did not ensure compliance as part of preparations for the incoming GDPR and Data Protection Act 2018.
The ICO is clear when it states that organisations should ‘maintain records on several things such as processing purposes, data sharing and retention. They even suggest a template which can be used by data controllers to help to specify all aspects of data storage.
Recent Examples of the ICO Soft Touch for the Public Sector
In the last couple of months alone, there have been a number of breaches investigated by the ICO, including:
- NHS Blood and Transplant Service for releasing untested development code into a live system, for which a reprimand was issued
- A provider of children’s services for local authorities, Achieving for Children, was issued with a reprimand for inappropriately disclosing personal data and special category data
- University Hospitals Bristol and Weston NHS Foundation Trust permanently lost a number of patient records, and were issued with a reprimand
- The Metropolitan Police were ‘unable to ensure that sensitive criminal records were not able to be uploaded correctly to the Police National Database (PND), or amended, or deleted and that this situation had been in place, unknown to MPS for some considerable time’, and were issued with a reprimand
Yet over this same period, companies have been charged many thousands for making unsolicited marketing calls. Whilst such calls are a nuisance, I know where I would rather the focus be for data protection enforcement. Our public sector organisations, particularly health and social services and the Police, deal with highly sensitive data, and it is imperative that these organisations handle our personal data correctly and with due consideration.