Last week, the Information Commissioner fined the Chief Constable of Kent Police under s.55A of the Data Protection Act 1998 (DPA 1998), after an investigation revealed that Kent Police were in contravention of the ‘seventh protection principle,’ disclosing sensitive and personal information from a victim’s mobile phone to the man who she accused of abusing her.
A woman (‘W’) visited Kent Police to accuse her partner, who was a serving police officer of Kent Police, of domestic violence. She claimed that he had physically assaulted her and damaged her property. W’s mobile phone was taken in evidence, as she reported that there was a video on the phone to support her accusation. In addition, there were another 13,000 personal files on the phone, including information about her divorce, texts, and intimate photographs. A complete copy was made of all these files, including those irrelevant to the domestic abuse claim against the officer, and a further edited copy was made containing only the relevant video recordings.
W later changed her mind, and dropped the complaint against her former partner. The criminal proceedings were discontinued, and the officer was investigated for misconduct by the Professional Standards Department. Ahead of the misconduct hearing, an administrator employed by Kent Police “disclosed documents to the officer’s solicitor in advance of the misconduct hearing… the full working copy was also sent to the officer’s solicitor by mistake, as a result of inappropriate security measures.” The officer’s solicitor further disclosed the information to his client, who then informed W.
The Information Commissioner started an investigation against Kent Police to consider how and why a breach of data protection occurred, and whether the incident could have been prevented, using the guidelines of the Data Protection Act 1998, and the government’s data protection principles (i.e. principle seven, that data should be ‘kept safe and secure’).
During the Commissioner’s investigation it was noted that Kent Police did not have a sufficient procedure in place including a suitable standard of organisation, experience, and supervision in order to prevent the possibility of such incidents occurring. Thus, there were no suitable measures in place to ensure that personal data from individuals, such as the complainant in this instance, being disclosure to the other side when it is irrelevant and/or disproportionate to do so.
The Commissioner outlined the issue as follows:
“(a) Kent Police has in place a written procedure for how disclosures to defendants and their representatives should be managed in criminal cases. It has no comparable procedure for misconduct cases.
(b) The person to whom Kent Police entrusted the disclosure process was a hearings manager, who had an administrative role. That manager had no prior knowledge of these proceedings, and did not receive any input, supervision or oversight from officers involved in the investigation.
(c) Kent Police had in place no procedure for checking the contents of material prepared for disclosure prior to disclosure taking place.”
It was concluded that the procedures and measures taken by Kent Police in such cases were inadequate for the purpose of preventing unauthorised disclosure. As such, Kent Police was in contravention of the seventh data principle (‘safe and secure’). The Commissioner stated that Kent Police are responsible for this very serious data protection breach, the added seriousness correlating to the personal and sensitive context of the information that should have been safeguarded by the police against “unauthorised disclosure”.
During the investigation, the Commissioner noted that given the intimate nature of the information, discretion should have been applied, and a greater degree of personal distress could be foreseen in the event of a breach. W had approached Kent Police as a victim, and although partial disclosure was to be expected, the further personal and sensitive information (including intimate pictures) should have been heavily safeguarded. The Commissioner noted that Kent Police has a strict procedure in place for situations in criminal matters with regards to data disclosure, but that a similar procedure was not available in disciplinary matters:
‘Kent Police should also have known that inappropriate disclosures in the context of this relationship and the seriousness of the allegations were likely to result in substantial distress if excessive and unauthorised disclosure of personal data took place.”
Kent Police may not have intended to violate data protection, but the Commissioner concluded that it was a “deliberate act” on their part to not have a suitable or adequate procedure in place. He stated that it was a “serious oversight… rather than an attempt to bypass the legislative provisions.”
Therefore, the Commissioner considered that there had been a serious contravention of data protection on the part of Kent Police, disclosing the full working copy of information and files to the officer who had been accused of violence. This had caused severe foreseeable distress to W who gave the phone to the police as evidence to support her accusation. Given the nature of Kent Police’s usual role and understanding of the personal and sensitive nature of such information in criminal proceedings, there should have been a suitable procedure in place to process the information.
The Commissioner concluded that the requirements of s.55A DPA 1998 had been satisfied, as well as the procedural rights of s.55A (3A) and s.55B. Therefore, the Commissioner has considered that he is within his operational powers to issue a monetary penalty, as this can not be concluded to be a one-off event caused by human error, but is a procedural failing on the part of Kent Police. They are to pay £80,000 to the Commissioner’s office by 19th May 2016. Kent Police have 28 days to appeal this decision to the First Tier Tribunal. It is hoped that this will be a warning to other regional police departments about the importance of maintaining appropriate safeguards when it comes to data protection.