Concern follows police convictions for Data Protection Act violations

A Freedom of Information request reveals that 243 police officers were convicted of Data Protection Act violations in the last three years.

A Freedom of Information Act request has revealed that 243 police officers have been convicted of breaching the Data Protection Act (DPA) in the last three years, with 98 of them losing their jobs as a result. A further 904 officers and staff members were subjected to internal disciplinary proceedings for breaching the DPA, but were not prosecuted.

These people are the ones who’ve been silly enough to be caught. This is by no means the full extent of it, and we suspect the problem is far worse.

Daniel Hamilton, campaign director, Big Brother Watch

The Data Protection Act violation information was obtained by campaigning organization Big Brother Watch and is based on responses from 36 of the 43 police authorities in England and Wales. The remaining seven authorities either refused to answer or failed to respond.

Kent police topped the list with 10 employees dismissed from the force for DPA breaches, followed by Merseyside and West Midlands (both seven) and Northumbria (six).  Merseyside conducted 208 internal disciplinary procedures, more than any other force, although these mainly related to one occasion in 2009 when 130 members of staff inappropriately took advantage of access privileges to find out details of the arrest of Liverpool football captain Stephen Gerrard.

Many of the cases involved officers viewing information for their own interest, or to gain information about neighbours or partners, but some of the police convictions were more serious. For instance, a member of police staff resigned after admitting to disclosing information about the supply of class A drugs to a third party. Another member of staff in Lancashire was dismissed after disclosing confidential police information on Facebook.

Marc Lee, EMEA sales director for Westborough, Mass.-based access management company Courion Corp., said that, while some police forces have put in software to control who accesses systems, others “are not quite as advanced.” He said that one big problem is that officers are regularly moved from one role to another, and sometimes their access rights are not adjusted to be in line with their new responsibilities.

Courion is a supplier to West Midlands police, which reported seven prosecutions and 83 cases of internal discipline for police data protection breaches. Lee said the force is now using access-control tools to gain a better understanding of who is accessing files, and when they are doing so.  “There is a growing emphasis on access intelligence in a lot of forces,” Lee said.

Daniel Hamilton, campaign director of Big Brother Watch, said the figures probably only reflect a small proportion of the actual cases of staff viewing or leaking confidential information. “These people are the ones who’ve been silly enough to be caught,” Hamilton said. “This is by no means the full extent of it, and we suspect the problem is far worse.”

Mark Fullbrook, UK and Ireland director at vendor Reading-based Cyber-Ark Software, argued that the figures gathered by Big Brother Watch tell only half the story because few police forces currently track access made by privileged account users in the IT department.

“The report contains quite a lot of banal examples where people have used their own logons to access stuff, and they’ve been caught,” Fullbrook said. “But there seem to be no examples of IT staff accessing information that is not relevant to their role.”

Fullbrook said that, while Cyber-Ark’s privileged identity management tools are widely used, the company has only one UK constabulary as a customer. “Walk into any bank today and ask who accessed what piece of information and they would be able to tell you, including the privileged users,” Fullbrook said. “But in most cases, the police do not have those tools in place. It is quite shocking.”  

Fullbrook added that Cyber-Ark has carried out regular surveys that show that one in three IT administrators admits to accessing information not relevant to his or her role. “I think this report represents the tip of the iceberg,” he said. “Unless the police are investing time and resources to ensure passwords are changed on a regular basis, which is unlikely, they have no control over the privileged users.”

Perhaps the most worrisome fact, however, is that seven forces failed or refused to respond entirely. Hamilton of Big Brother Watch said his organisation will be lodging a formal complaint to the Information Commissioner about the police forces that failed to respond to the freedom of information request so the ICO will compel those constabularies to release their data.

Read more on Security policy and user awareness