Ouch!
That's a big FAIL.
Kent Police has been fined £80k by the Information Commissioner's Office (ICO) after sensitive personal details of a woman who accused her partner of domestic abuse were passed to the suspect, who was a police officer. According to the ICO, the copper's solicitor was handed the entire contents of the complainant’s mobile phone …
"The force has not responded to questions from The Register as to whether it anticipated allegations of corruption as a result of a victim's private data being passed to a suspect employed by it."
Did you ask whether disciplinary action had been taken? It's one thing to have procedures, it's another to follow those procedures without engaging brain. There should have been a "this doesn't seem right" moment.
So, the taxpayers were fined, really.
What about PC Fuckwit, (The Spousebeater's Friend)? Fined? Desk duty? Demotion? Sacked? Reassigned to Craggy Island?
I've often wondered whether the answer to these Blue Wall cases might not be to sue the relevant police pension fund in some way. Once the Boys in Blue understand that for every baddun they stand behind their own bottom line takes a potential smack in the hurtybits the urge to persuade the badduns to come forward would be overpowering.
My limited experience of solicitors is that they are dodgy geezers.
Brother in law had a solicitor as a tenant, and he had a call from the solicitor's client. She was trying to trace the solicitor, but he seems to have skipped the country with the money for a house purchase leaving months of unpaid rent.
Anon - don't want to be sued.
Responsibility has to be considered in context. Something like this, as the ICO notes, is an institutional failure. While we're chasing up what disciplinary actions were taken with individuals in this circumstance, it is appropriate to place the blame on the institution/organisation, as Kent Police themselves recognised in their response to us, having "implemented a new standard operating procedure."
"...
What were they thinking?"
There are two option:
a) Not a lot. This assumes no malice in the perpetrator
b) They thought they could get away with it. That implies malice
In the first case the person may not be suitable for working at the police.
In the second place the person is certainly not suitable for working at the police
The Solicitor will answer to The Law Society, and if they're any good they'll be removed from "the bar". So it's not so much him being fined, he could lose his job. Not sure however whether the Law Society can act on this news or whether he has to be referred to them by someone.
And in fairness, that's what he deserves.
I can't help wonder if the solicitor involved should be looked at for some form of misconduct too?
As I understand it, they'd only asked for/been offered one file (a video) from the phone, to prepare his client. Why, upon receiving everything on the phone, would they then think "I know, I'll show my client the lot"?
I'd have thought (possibly naively) that they'd have been familiar with data protection law.
Yes, I fear you're right there. I presently work in an environment where chinese walls, client confidentiality, need-to-know are crucial to the way we do our business and maintain our reputation.
Got a guy with us who's been around the legal biz. Seems the way of the world pretty much universally there is that all their docs (certainly within a group of partners) are open to all, no role- or client- based permissions, totally reliant on their professional standards not to read the wrong thing.
Sounds like a disaster waiting to happen to me, but whadda I know ?
The solicitor did nothing wrong.
He asked for disclosure and got a bumper Christmas present of disclosure.
The DPA breach is with the discloser.
As for it being accidental, given the wholesale corruption in Kent Police the chances that this was a genuine error are almost nil.
What's the point in fining a Police Force money? They're funded by the public purse - so that 80K is several front line officers not being recruited next year.
How about just locking up the entire chain of command responsible for this breach? Wouldn't have to be long - just a week inside - let them be on the end of a little potential violence they can't get away from - that would surely focus their minds on the future of keeping people's data secure.
It's one of the ICO's few tools in these circumstances, and it does bring the circumstances of these breaches to the public's attention too. I agree with you about the public purse issue. It certainly would be nice if there was more room/interest in prosecuting in the most severe circumstances.
It might be one of the ICO's few tools, you'd be a tool to think it'd make any difference though. It's not likely the public are going to remember and it will all blow over soon enough. If there were real disciplinary consequences for such a mahoosive and stupid breach i.e you lose your job, you might not be so careless in the first place. Severely screwing with someone's life is not worth the insult of taking public money from a public body that the victim presumably paid some tax towards and those in charge have no vested interest in!
It does make sense to sack people who break the rules, but you should think of it as a way of protecting the employer (and the employer's customers) rather than punishing the employee. In some cases the employee was in any case about to retire, or move to another job, or be sacked for some other reason, or be made redundant, in which case sacking is not a punishment at all. Being sacked can even be a reward in some cases because you conserve benefits that would have been lost in leaving voluntarily.
"It's one of the ICO's few tools in these circumstances"
It really ought to have been considered at the time the DPA was drawn up. Fines are inappropriate for a public body. There seems to be an assumption that public bodies wouldn't breach the provisions. We now realise that they're one of the categories of data managers who present most problems. In the absence of any other more appropriate provision there needs to be a mandatory requirement for personal responsibility.
But I still can't get my head round the notion that this was supposed to have been carried out in accordance with the force's procedures. Are the procedures really so stupid as to mandate this or are they so vague that anything would be in accordance?
It would be insane to actually lock these people up in general prisons, or - when they're too full - in police stations! Besides - mixing senior plod with people plod locks up is more likely to result in a nasty collusion situation - keep them well separated at all times.
But what about something like a sin-bin, like maybe being detained by the military police for a week or several. That would really screw up the golf club schedule.
Early retirement on full pension often seems to be the worst that's on offer both for negligence and malfeasance. Let's not be inhumane here, but the deprivation of liberty for a period should be a serious option. Maybe there was no criminal intent here, but a little bit of potential personal inconvenience may be enough to focus the mind of senior plod.
"Exactly, the person that 'lifted' (actually stole) the additional data from the phone should be charged with theft"
How many times do we have to go over this? It's just like the unending "copyright violation is theft" crap.
Theft is taking with intent to permanently deprive the owner. Copying isn't theft, it's copying. The two are not the same thing.
Theft - dishonestly taking something that belongs to someone else. Show me a definition anywhere which mentions a physical loss on the part of the owner. For that matter, show me a thief who's only motivation was to deprive the owner. If you're going to canter your high horse across the plains of pedantry, at least pick something a little more black and white.
small correction. Nothing was "stolen". The woman provided the phone to the police and consented to its contents being copied. However, the police had no fucking business copying and keeping more than the video the victim had made. And they sure as Hells should not have provided it to the lawyer until charges had actually been brought against the accused as part of discovery.
Given the number of times I've heard about police doing more to protect each other than to protect the public I can't help but think there was malicious intent by individuals in the police department.
> The woman provided the phone to the police and consented to its contents being copied
I would speculate that she consented to specific data only (the video) being copied. If anything else was copied then that would have been without consent and thus a criminal breach under the Computer Misuse Act. Passing that illegally copied data to a third party would be the offence we read about here under data protection laws.
The question then is whether the solicitor might reasonably have suspected that the data he was handed was not "legit" - and reading the report it sounds like he really should have had suspicions, and therefore could be argued to have also committed one or more offences (data protection, assisting an offender) as well as a serious breach of professional conduct.
So passing detailed, intimate personal information about an alleged victim to their alleged attacker costs 80 grand. If you just have a few uncontroversial customer and HR records, why would anyone bother making any attempt to comply with data protection legislation? Odds are you won't get caught anyway, but if you do, just act contrite in front of the Information Commissioner and you'll get a fine that will probably come out of petty cash for a lot of companies.
That may well change when the GDPR comes in of course.
That may well change when the GDPR comes in of course.
Only for the private sector, and "expendable" public sector bodies.
You can be sure the UK government to write a law that uses the GDPR exemption clauses to keep its own bureaucracy immune. Small time public sector (local authorities, NHS) probably will still be hit, but people like the police will hide behind a blanket exemption, as will all aspects of Snooper's Charter, and every aspect of Civil Service malfeasance.