5 years, 2,300 data breaches. What'll police do with our Internet Connection Records?

Police forces across the UK have been responsible for “at least 2,315 data breaches” over the last five years, according to research by Big Brother Watch, prompting concerns about the increasing amount of data they're holding.

Titled Safe in Police Hands? the 138-page report is released today after months of requests made by the campaign group under the Freedom of Information Act, covering police forces' breaches of the Data Protection Act from June 2011 to December 2015.

According to Big Brother Watch, the results “show officers misusing their access to information for financial gain and passing sensitive information to members of organised crime groups”.

Over the last five years, more than 800 members of staff at police forces “accessed personal information without a policing purpose” and information was “inappropriately shared with third parties more than 800 times”.

The issues span improper disclosure of information, accessing police systems for non-policing purposes, inappropriate use of data for personal reasons and more, says BBW. It continued:

Digital by default is the future for the country. In response to this the levels of data the police handle will increase. Whilst there have been improvements in how forces ensure data is handled correctly this report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse.

“With the potential introduction of Internet Connection Records (ICRs) as outlined in the Investigatory Powers Bill, the police will be able to access data which will offer the deepest insight possible into the personal lives of all UK citizens,” the group reported, adding that any breach of this information would be “over and above” what was included in the report.

Of the 2,315 breaches that Big Brother Watch was informed of, more than 55 per cent (1,283) resulted in no formal disciplinary action being taken, while in 11 per cent (258) of cases those responsible received either a written or verbal warning. In 13 per cent of cases (297) the individuals involved either resigned or were dismissed, while only 3 per cent (70) of breaches resulted in either a criminal conviction or caution.

Reg readers will remember that the Information Commissioner's Office fined Kent Police £80,000 earlier this year when it passed the entire contents of a potential domestic abuse victim's phone to the solicitor of the man she was accusing of abuse - a man whom it turned out was also a copper at Kent Police.

In another case from this year, an Essex police officer was given a “final written warning” after misusing Police Intelligence systems to snoop on his ex-wife's stepbrother.

In the light of such findings, Big Brother Watch has proposed five policy recommendations to “address concerns we have with the increased levels of data the police will have access to, [and] they also propose more stringent methods of dealing with data breaches including a move towards error reporting and notification for the individual whose data has been breached”.

The campaign groups recommends introducing custodial sentences for the most serious data breaches, adding that where such breaches are uncovered the individual should be given a criminal record. This movement was recently supported by a Parliamentary inquiry spurred by the data breach of TalkTalk, which also recommended that CEOs take a hit to compensation if their company's infosec practices were not up to scratch.

Big Brother Watch also recommended the mandatory reporting of any breach that concerns a member of the public, and the removal of Internet Connection Records from the Investigatory Powers Bill:

The scale of breaches within police forces should pose major questions regarding the plans to allow police officers access to even more personal information through Internet Connection Records proposed in the IP Bill. The information the police will have access to under these powers is vast. Police forces are already struggling to keep the personal information they can access secure. It is clear that the addition of yet more data may just lead to the risk of a data breach or of misuse.

Warning that a “weakening of data protection law post Brexit would put the UK at risk, in terms of trade, security and data privacy,” and thus endorsing stronger data protection legislation as “a fundamental part of keeping people and businesses safe,” Big Brother Watch also recommended – much as everyone else is doing – the necessity of adopting equivalent standards to the EU's General Data Protection Regulations if the UK is to trade with the Single Market. ®