Greater Manchester Police (GMP) has been fined £150,000 ($194,000) by the UK's data breach watchdog – the Information Commissioner's Office (ICO) – after three unencrypted DVDs containing footage of interviews with victims of violent and sexual crimes were "lost in the post".
The department sent the footage in 2015 to the Serious Crime Analysis Section (SCAS), a division of the National Crime Agency (NCA), by recorded delivery but they were never received. The DVDs, stored without password protection, have never been recovered.
The recordings showed victims talking openly about the crimes. The ICO said in a statement this week (4 May) GMP did not have appropriate measures in place to guard against the accidental loss – and should have known to send the material via special delivery.
The ICO said the DVDs contained "highly sensitive data" that would likely cause "substantial damage or stress" to the victims who may suspect that their personal data had been accessed by "individuals who have no right to see that information".
The substantial penalty must be paid to the ICO by 31 May 2017. If the ICO receives full payment by 30 May the GMP will be given a 20% discount to £120,000.
"GMP ought to have known that the DVDs containing the interviews would be vulnerable," the ICO said.
"The GMP was also aware that SCAS only used special delivery to send confidential material by post, if required," the ICO continued. "Special delivery is more secure than recorded delivery because an item is signed for every time it changes hands, and not just by the recipient."
Sally Anne Poole, ICO enforcement group manager, said: "When people talk to the police they have every right to expect that their information is handled with the utmost care and respect.
"Greater Manchester Police did not do this. The information it was responsible for was highly sensitive and the distress that would be caused if it was lost should have been obvious. Yet GMP was cavalier in its attitude to this data and it showed scant regard for the consequences that could arise."
The ICO investigation found that GMP had been sending unencrypted DVDs by recorded delivery to SCAS since 2009 and only stopped after the security breach in 2015. Yet this is not the first time the force had been found lacking in the area of data protection.
The ICO previously fined GMP £150,000 in 2012 after an unencrypted USB stick was stolen.
GMP Assistant Chief Constable Rob Potts told The Guardian: "The disks were sent in accordance with national guidance for sending sensitive information, however, when it became apparent that the disks may have been lost we immediately reviewed our own procedures.
"As a result postal delivery is no longer used by GMP for sensitive information.
"I think it is important to stress that when the potential loss did become apparent, we worked closely alongside Royal Mail to do everything possible to try to find the disks and immediately informed the three people concerned in the video interviews.
"They have been kept updated of this ongoing investigation and contacted this week to inform them of the ICO's decision." He added: "I would continue to urge anybody who has been a victim of crime to come forward to police, we are here to help and we can provide specialised support."