The Information Commissioner’s Office has found Gwent Police in breach of the Data Protection Act for accidentally emailing information relating to 10,000 Criminal Records Bureau checks to a journalist working for the London-based Register website.
An email containing a spreadsheet of the results of the 10,000 CRB enquiries was mistakenly sent when a staff member at Gwent Police inadvertently copied the journalist into the email.
The ICO says 863 of the records indicated that the individual had personal information recorded but no details of criminal convictions were disclosed and the nature of the information was not identifiable.
A subsequent investigation conducted by Gwent police criticised the member of staff responsible for circulating the email after the individual failed to follow the force’s IT security policies regarding the importance of password protection and only sharing information that is absolutely necessary.
Anne Jones, Assistant Commissioner for Wales, said: “It is essential that staff are aware of and follow their organisation’s security policies. Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place. We are pleased that Gwent Police has taken steps to prevent this happening again.”
Gwent Police will implement stricter rules to ensure that wherever possible information is accessed directly via secure databases and the use of generic passwords will stop. The undertaking also requires new technology to be brought in to prevent the inappropriate auto completion of addresses in internal and external email accounts.
According to the Register, the email detailed the results of the checks going back to 2001 and so identified 863 people as having been in trouble with police. In many cases it recorded their occupations, including dozens of taxi drivers, school and hospital workers. Personal details and whether a CRB disclosure was made on foster carers, IT technicians and pest controllers was also included in the spreadsheet.
The Register deleted the file in co-operation with Gwent Police’s professional standards officers, who travelled to our London offices two days after being contacted.
The error occurred when the author of the email — a member of the force’s CID data management unit — used the autocomplete function in email software to include the journalist’s address along with those of five Gwent Police officials.
The Register address had been automatically saved by the system after it was used to submit two unrelated Freedom of Information requests last year.
Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would undermine public confidence in the force, but the website declined.