ICO scolds British police for poor data handling

A new report from the UK's Information Commissioner's Office (ICO) reveals how few police forces are adhering to the full requirements of the 1998 Data Protection Act.

Met Police
Met Police

In a new report published late on Tuesday, the UK watchdog details how the year-long audit ran from April 2013 to April 2014 and how it looked at how 17 of the 43 UK police forces adhered to the 1998 DPA in the following six areas: data protection governance, records management, handling requests for personal data, staff training and awareness, and data sharing.

Of these 17 police forces – which were not named – only one was said to have achieved “high assurance” across all areas. ICO said that those achieving this mark would have “limited scope” for improving on their existing practices, and added that “significant action is unlikely to be required”.

Another 10 forces achieved “reasonable” assurance with some scope for improvement, with six more receiving “limited” assurance. Fortunately, not one police was branded as “very limited assurance” with “substantial risk of non-compliance with DPA”, although two forces did receive this mark in two specific areas; one for records management and another for data sharing.

Chris McIntosh, CEO of ViaSat UK, told SCMagazineUK.com that the report asks more questions than it answers.

"Why are no forces out of those surveyed ranked “high” for either security of personal data or training and awareness? Why does records management appear to be such a weakness? And how do the police forces match up against other organisations in both the public and private sector?” said McIntosh in an email to SCMagazineUK.com.

“While the audits did not cover all forces, there are still lessons that every public sector body, especially those that are custodians of highly sensitive personal data, should take from this.

“Firstly, an organisation is only as secure as its weakest link: if data is not adequately protected at any point of its existence, or if workers are not aware of the need for data protection and best practices, sensitive information will be constantly at risk. Secondly, organisations must evolve with the times: as records make the move from paper to digital, they must be certain that not only are they evolving their data protection processes to deal with new technology, but that in this evolution older data is not being left behind.”

Andy Kellett, a security analyst at Ovum, said that the finding was a worry considering the police are most likely working from a same set of rules and policies across numerous forces.

“The question you have to ask is why some [forces] are better at interpreting these rules than others? I can't think of any good reason why a particular force should be better at working to the same set of rules,” Kellett told SC.

Securing data should be the ‘highest priorities' for under-performing police forces, said Kellett, who added that they could even learn a lesson from failing UK schools.

“If they're not doing well enough, maybe there's an opportunity to do something in line with failing schools that go to their peer group to use their experience and expertise.”