A recent report by a privacy activist group has put police forces across the UK under the spotlight for having accessed and used civilian data inappropriately. The report details at least 2,315 data breaches conducted by the police over a five-year period. Between June 2011 and December 2015, over 800 police staff accessed personal information without proper authorisation and inappropriately shared it with third parties over 800 times.
According to the report published by Big Brother Watch, "Specific incidents show officers misusing their access to information for financial gain and passing sensitive information to members of organised crime groups."
The activist group also said, "It is not a mandatory requirement for the police to report data breaches to the Information Commissioners Office. Guidance has been produced by the Information Commissioners Office to help forces decide when it may be appropriate to report an incident. In addition many forces prepare their own internal guidance and procedures for such an event."
Big Brother Watch research director Daniel Nesbitt told IBTimes UK "Training is vital to cutting down on the breaches which happen by accident or because of avoidable mistakes. It's important that a good level of training is available and that officers understand their responsibilities to keeping data secure. Other causes of breaches include officers and staff accessing police systems with no policing purpose; sometimes to conduct checks on family members and information being passed to third parties not authorised to see it."
Key findings of the report
The report found that between June 2011 and December 2015, there have been 869 (38%) instances of police staff involved in unauthorised access of personal information and 877 (38%) instances of civilian data having been inappropriately shared with third parties without proper authorisation. In addition there have been 25 specific cases of "misuse" of the Police National Computer.
The report also found that of all the incidents reported, only 13% resulted in either a resignation or a dismissal, while 11% resulted only in either a written or verbal warning. Additionally, 1,283 (55%) cases resulted in no formal or disciplinary action being taken whatsoever.
The report also highlighted several specific cases of police staff inappropriately sharing civilian data for personal entertainment and/or financial gain. For instance, one Metropolitan Police offer took a snapshot of a victim's driving licence and sent it to another friend on Snapchat, because he found the victim's name to be "amusing".
In another incident, an officer of South Wales police force photographed and circulated restricted documentation for "personal gain" for which he was dismissed. In yet another case, "informal action" was taken against a police officer of the Dyfed Powys police for having provided a USB device to a "member of the public", which contained sensitive information, including "intelligence reports, emails and public information letters" in relation to a crime.
The report also referred to the controversial spy bill — the Investigatory Power's Bill, nicknamed Snooper's Charter — which is currently under review by the House of Lords. The report stressed that the collection of Internet Connection Records (ICR), which involves the government accessing and storing user data for up to 12 months, would further hamper user privacy, especially in light of the findings of the report.
Nesbitt stressed, "Internet Connection Records reveal a huge amount of information about UK citizens. Collecting and storing details about every website that we access as well as our location, what device we are using and what time we accessed it can help build a very intrusive picture. Until the police can demonstrate that our data will be safe in their hands we shouldn't be giving them access to yet more of it."
"The power to collect, store and for the police to subsequently seek a warrant to access our online activity would create another vulnerability to our personal data and personal lives," said Big Brother Watch.
In light of the report's revelations into the working of the UK police forces, the activist group has suggested several policy changes, including criminal sentences for serious data breaches, mandatory reporting of a breach, removal of ICR from the Snooper's Charter and the adoption of the General Data Protection Regulations.
"The report doesn't show a widespread lack of professionalism in UK police forces. What it does reinforce is the fact that in a modern society protecting citizens is also about protecting their personal data. This is something that the police are going to have to become more and more aware of," cautioned Nesbitt.