Gwent Police has been found to be in breach of the Data Protection Act after Criminal Reference Bureau (CRB) checks were accidentally emailed to The Register.
As reported by SC Magazine last year, an email containing a spreadsheet of the results of around 10,000 CRB enquiries was mistakenly sent to a journalist at The Register when a staff member at Gwent Police inadvertently copied the wrong person into the email.
Human error was blamed for the action, as the author of the email used the autocomplete function to include the journalist's address along with those of five Gwent Police officials in the ‘CC' field of the message. The address had been stored after a Freedom of Information Act request by the website.
Of the 10,000 records, 863 indicated that the individual had personal information recorded but no details of criminal convictions were disclosed and the nature of the information was not identifiable.
A subsequent investigation conducted by Gwent Police criticised the member of staff responsible for circulating the email after they failed to follow the force's IT security policies regarding the importance of password protection and only sharing information that is absolutely necessary.
Mick Giannasi, then the chief constable of Gwent Police, has signed a formal undertaking agreeing to put in place a number of steps to prevent a similar breach from happening again. Gwent Police will implement stricter rules to ensure that wherever possible information is accessed directly via secure databases and the use of generic passwords will stop. The undertaking also requires new technology to be brought in to prevent the inappropriate auto completion of addresses in internal and external email accounts.
An undertaking was agreed in August 2010. However, as disciplinary proceedings at Gwent Police were underway, the Information Commissioner's Office (ICO) did not publish the undertaking at that time.
Anne Jones, assistant commissioner for Wales, said: “It is essential that staff are aware of and follow their organisation's security policies. Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place. We are pleased that Gwent Police has taken steps to prevent this happening again.”
The announcement comes in the same week as the ICO fined Ealing and Hounslow Councils a total of £150,000 for failings by a third party to encrypt laptops that were later stolen.