
Ouch!
That's a big FAIL.
Kent Police has been fined £80k by the Information Commissioner's Office (ICO) after sensitive personal details of a woman who accused her partner of domestic abuse were passed to the suspect, who was a police officer. According to the ICO, the copper's solicitor was handed the entire contents of the complainant’s mobile phone …
"The force has not responded to questions from The Register as to whether it anticipated allegations of corruption as a result of a victim's private data being passed to a suspect employed by it."
Did you ask whether disciplinary action had been taken? It's one thing to have procedures, it's another to follow those procedures without engaging brain. There should have been a "this doesn't seem right" moment.
So, the taxpayers were fined, really.
What about PC Fuckwit, (The Spousebeater's Friend)? Fined? Desk duty? Demotion? Sacked? Reassigned to Craggy Island?
I've often wondered whether the answer to these Blue Wall cases might not be to sue the relevant police pension fund in some way. Once the Boys in Blue understand that for every baddun they stand behind their own bottom line takes a potential smack in the hurtybits the urge to persuade the badduns to come forward would be overpowering.
My limited experience of solicitors is that they are dodgy geezers.
Brother in law had a solicitor as a tenant, and he had a call from the solicitor's client. She was trying to trace the solicitor, but he seems to have skipped the country with the money for a house purchase leaving months of unpaid rent.
Anon - don't want to be sued.
Responsibility has to be considered in context. Something like this, as the ICO notes, is an institutional failure. While we're chasing up what disciplinary actions were taken with individuals in this circumstance, it is appropriate to place the blame on the institution/organisation, as Kent Police themselves recognised in their response to us, having "implemented a new standard operating procedure."
"...
What were they thinking?"
There are two option:
a) Not a lot. This assumes no malice in the perpetrator
b) They thought they could get away with it. That implies malice
In the first case the person may not be suitable for working at the police.
In the second place the person is certainly not suitable for working at the police
The Solicitor will answer to The Law Society, and if they're any good they'll be removed from "the bar". So it's not so much him being fined, he could lose his job. Not sure however whether the Law Society can act on this news or whether he has to be referred to them by someone.
And in fairness, that's what he deserves.
I can't help wonder if the solicitor involved should be looked at for some form of misconduct too?
As I understand it, they'd only asked for/been offered one file (a video) from the phone, to prepare his client. Why, upon receiving everything on the phone, would they then think "I know, I'll show my client the lot"?
I'd have thought (possibly naively) that they'd have been familiar with data protection law.
Yes, I fear you're right there. I presently work in an environment where chinese walls, client confidentiality, need-to-know are crucial to the way we do our business and maintain our reputation.
Got a guy with us who's been around the legal biz. Seems the way of the world pretty much universally there is that all their docs (certainly within a group of partners) are open to all, no role- or client- based permissions, totally reliant on their professional standards not to read the wrong thing.
Sounds like a disaster waiting to happen to me, but whadda I know ?
The solicitor did nothing wrong.
He asked for disclosure and got a bumper Christmas present of disclosure.
The DPA breach is with the discloser.
As for it being accidental, given the wholesale corruption in Kent Police the chances that this was a genuine error are almost nil.
What's the point in fining a Police Force money? They're funded by the public purse - so that 80K is several front line officers not being recruited next year.
How about just locking up the entire chain of command responsible for this breach? Wouldn't have to be long - just a week inside - let them be on the end of a little potential violence they can't get away from - that would surely focus their minds on the future of keeping people's data secure.
It's one of the ICO's few tools in these circumstances, and it does bring the circumstances of these breaches to the public's attention too. I agree with you about the public purse issue. It certainly would be nice if there was more room/interest in prosecuting in the most severe circumstances.
It might be one of the ICO's few tools, you'd be a tool to think it'd make any difference though. It's not likely the public are going to remember and it will all blow over soon enough. If there were real disciplinary consequences for such a mahoosive and stupid breach i.e you lose your job, you might not be so careless in the first place. Severely screwing with someone's life is not worth the insult of taking public money from a public body that the victim presumably paid some tax towards and those in charge have no vested interest in!
It does make sense to sack people who break the rules, but you should think of it as a way of protecting the employer (and the employer's customers) rather than punishing the employee. In some cases the employee was in any case about to retire, or move to another job, or be sacked for some other reason, or be made redundant, in which case sacking is not a punishment at all. Being sacked can even be a reward in some cases because you conserve benefits that would have been lost in leaving voluntarily.
"It's one of the ICO's few tools in these circumstances"
It really ought to have been considered at the time the DPA was drawn up. Fines are inappropriate for a public body. There seems to be an assumption that public bodies wouldn't breach the provisions. We now realise that they're one of the categories of data managers who present most problems. In the absence of any other more appropriate provision there needs to be a mandatory requirement for personal responsibility.
But I still can't get my head round the notion that this was supposed to have been carried out in accordance with the force's procedures. Are the procedures really so stupid as to mandate this or are they so vague that anything would be in accordance?
It would be insane to actually lock these people up in general prisons, or - when they're too full - in police stations! Besides - mixing senior plod with people plod locks up is more likely to result in a nasty collusion situation - keep them well separated at all times.
But what about something like a sin-bin, like maybe being detained by the military police for a week or several. That would really screw up the golf club schedule.
Early retirement on full pension often seems to be the worst that's on offer both for negligence and malfeasance. Let's not be inhumane here, but the deprivation of liberty for a period should be a serious option. Maybe there was no criminal intent here, but a little bit of potential personal inconvenience may be enough to focus the mind of senior plod.
"Exactly, the person that 'lifted' (actually stole) the additional data from the phone should be charged with theft"
How many times do we have to go over this? It's just like the unending "copyright violation is theft" crap.
Theft is taking with intent to permanently deprive the owner. Copying isn't theft, it's copying. The two are not the same thing.
Theft - dishonestly taking something that belongs to someone else. Show me a definition anywhere which mentions a physical loss on the part of the owner. For that matter, show me a thief who's only motivation was to deprive the owner. If you're going to canter your high horse across the plains of pedantry, at least pick something a little more black and white.
small correction. Nothing was "stolen". The woman provided the phone to the police and consented to its contents being copied. However, the police had no fucking business copying and keeping more than the video the victim had made. And they sure as Hells should not have provided it to the lawyer until charges had actually been brought against the accused as part of discovery.
Given the number of times I've heard about police doing more to protect each other than to protect the public I can't help but think there was malicious intent by individuals in the police department.
> The woman provided the phone to the police and consented to its contents being copied
I would speculate that she consented to specific data only (the video) being copied. If anything else was copied then that would have been without consent and thus a criminal breach under the Computer Misuse Act. Passing that illegally copied data to a third party would be the offence we read about here under data protection laws.
The question then is whether the solicitor might reasonably have suspected that the data he was handed was not "legit" - and reading the report it sounds like he really should have had suspicions, and therefore could be argued to have also committed one or more offences (data protection, assisting an offender) as well as a serious breach of professional conduct.
So passing detailed, intimate personal information about an alleged victim to their alleged attacker costs 80 grand. If you just have a few uncontroversial customer and HR records, why would anyone bother making any attempt to comply with data protection legislation? Odds are you won't get caught anyway, but if you do, just act contrite in front of the Information Commissioner and you'll get a fine that will probably come out of petty cash for a lot of companies.
That may well change when the GDPR comes in of course.
That may well change when the GDPR comes in of course.
Only for the private sector, and "expendable" public sector bodies.
You can be sure the UK government to write a law that uses the GDPR exemption clauses to keep its own bureaucracy immune. Small time public sector (local authorities, NHS) probably will still be hit, but people like the police will hide behind a blanket exemption, as will all aspects of Snooper's Charter, and every aspect of Civil Service malfeasance.
A monetry fine is completely inappropriate when you consider the gravity of the crime. The poor lass must've been scared out of her mind. The scumbag(s) who divulged that info need to be sorted out in a public manner, which would at least try to claw back a shred of respectablity of the Kent force instead of the ICO blatantly trying to save Police face.
"the ICO blatantly trying to save Police face"
How do you make that out?
The ICO has said there was a serious breach. It's imposed a fine. It's done what it's enabled to do by law.
We complain when public bodies act beyond the law. That can't be squared with complaining when they don't.
As soon as it became clear that the complaint was being made against a fellow copper the story not only made more sense, it became one more in a set of depressingly similar "band of brothers" spousal domestic dispute stories.
Can the lawyer be called up before the bar? Stupid question: they are the very worst "wall of silence" offenders, closing ranks tighter than doctors do when one of their own is shown to possess above average levels of moral blindness and culpable malpractice.
Spouses of cops should have some other way of accessing the laws supposedly that protect them than the very buggers posing the problem and their boozer buddies.
What a bloody disgrace.
this isn't as clear cut as you all think it is.........the contents of the phone were evidence in a prosecution (or possible prosecution). The accused has a legal right to copies of ALL the prosecution evidence. Hence the disclosure of the contents. If only the required video was submitted, the defence would have valid grounds to claim the police were conspiring to hide evidence which MAY contradict the video. For instance the next sequence could have shown them making up and kissing (I'm speaking hypothetically here: I am NOT suggesting it did), in which case the prosecution case may be in question. Its a tricky one - should the laws over criminal evidence take precedence over data protection? I would suggest that in most cases it should, but I'm certain many of you will disagree. In this case I suspect someone in the Police station came to the same conclusion as me. However it would appear legal clarification is needed.
More practically, does anyone know whether the station she complained to was the one her husband operated from? If it was, a certain logic indicates that wasn't the cleverest course simply because of the risk of protectionism. If I was faced with a problem like this I'd take it to a neighbouring police force and request them to initiate a complaint, or if they refused at least approach a different division in the same force
As the ICO already posed the fine, those much closer to the details of what has happened and what was relevant for disclosure in this case already assessed that. A relevancy test of used is key, and even more important these days with so much data around. For example just because my child may go to school and is friend with another child whose parent is under investigation, and we exchange phone calls and text messages to pick up our children, doesn't make me a linked suspect, it doesn't mean that my data has to be disclosed, there is no relevance to the case. It is the duty of the senior investigator officer and their disclosure officer to ensure that such data without relevance is not disclosed.
No, this is a pretty serious issue. As someone early on stated, who ever passed on the full set should have paused and thought about that. Regardless of training and procedures, this is bread and butter stuff.
Not the first time this has happened glad that heads have rolled, I lived thought a very similar event when the cps handed over phone records, along with a new contact number for harassment of an ex partner to continual. At the time the cps used the words in hindsight it shouldn't of happened.
"glad that heads have rolled"
Except they haven't. A fine has been levied and hands smacked, but nobody's actually been named and shamed or publically kicked out (and I don't just mean the abusive partner - if they're stupid enough to hand over stuff they shouldn't do, then they're unsuitable for any role in the police - and those covering need to go too.)
Personal experience with Police and the ICO is that even after having been reprimanded twice for failure to follow laws is that internal police investigations exonerated everyone involved (including a senior inspector, who knew full well what the laws are, chose to ignore them and faced no punishment whatsoever)
Maybe I sound harsh, but I don't believe in cutting police slack for breaching laws. They can and should be held to higher standards with higher panalties for lawbreaking. Without that we continue to see only a couple of degrees of separation between crooks and cops.