Teal blue graphic

ICO enforcements on appropriate data safeguarding and timely FOIA responses

South Wales Police (18 May 2015) 

Breach Contravention of the Seventh Data Protection Principle, in particular the data controller failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing, or accidental loss of personal data. 

Background An investigating officer had possession of 3 unencrypted DVDs that contained video recordings of an interview with a victim who had been sexually abused, which took place in August 2011. 

South West Police did not have a specific policy on how DVDs should be stored and therefore the officer stored them in his desk, which was shared with another colleague. 

In October 2011, the officer noticed that the DVDs had gone missing following an internal office move. While this was reported to the officer's line manager, the line manager was not aware of the policy for reporting security breaches. Consequently, the data controller was not aware of the breach until August 2013. 

There was a trial taking place at the time the DVDs were lost. The video recording formed part of the evidence to be used at trial and was the only digital record of the interview. Fortunately, there were written notes of the interview, however, the CPS could no longer rely on the DVD as evidence. 

The ICO held that the data controller failed to take appropriate organisational measures against the unauthorised processing and accidental loss of personal data, for example, securely storing master copies, providing regular training on procedures and reporting the breach. Further, the DVDs were unencrypted and therefore could have been accessed by an unauthorised third party. This was likely to cause substantial distress to the victim. 

South Wales Police was issued with a fine of £160,000. 

Read the full Enforcement Notice

Department of Finance and Personnel for Northern Ireland (2 June 2014)

Breach Failure to comply with sections 1(1) and 10(1) of the Freedom of Information act 2000 (FOIA) and promptly provide individuals with details of information that the Department of Finance and Personnel for Northern Ireland (DFPNI) holds about them. 

Background Since May 2014, the Commissioner has been in correspondence with the DFPNI with regards to responding to requests for information in a timely manner. 

On 31 October 2014, the Commissioner threatened enforcement action against the DFNPI for late responses. 

In March 2015, as outstanding requests of more than six months still remained, the Commissioner formally monitored the DFNPI’s timeliness over three months. On 5 May 2015, 10 requests for information remained outstanding. 

The Commissioner served an enforcement notice which forced DFNPU to respond to all outstanding freedom of information requests. 

Read the full Enforcement Notice.

Insights & events View all