Mat Hayward - stock.adobe.com
UK police have lost more than 150,000 fingerprint, DNA and arrest history records after accidentally wiping them from national policing systems.
The Home Office said in a statement that it was working with police to “assess the impact” of the glitch that occurred within the systems, and that no records of criminals or dangerous persons had been deleted.
It said the wiped records were those of people arrested and released when no further action was taken.
Policing minister Kit Malthouse said that “a standard housekeeping process that runs on the Police National Computer [PNC] deleted a number of records in error”, and that “a fast time review has identified the problem and corrected the process, so it cannot happen again”.
Malthouse added: “The Home Office, the National Police Chiefs Council and other law enforcement partners are working at pace to recover the data. While the loss relates to individuals who were arrested and then released with no further action, I have asked officials and the police to confirm their initial assessment that there is no threat to public safety.”
It is currently unclear, however, which specific policing systems experienced the problem and how widespread it was. Although the PNC does hold a range of personal data on individuals – from information on arrests and convictions to vehicles and property – it does not contain fingerprint or other biometric information, which is located in the IDENT1 system.
Similarly, information related to DNA is held in the National DNA Database, not the PNC, which means the technical issue has affected a number of UK policing databases.
The issue is also said to have affected the UK’s visa system, which had to suspend processing applications for two days.
Shadow home secretary Nick Thomas-Symonds has called on home secretary Priti Patel to take responsibility for the computer error and provide clarity over its impact.
“This is an extraordinarily serious security breach that presents huge dangers for public safety,” he said. “The incompetence of this shambolic government cannot be allowed to put people at risk, let criminals go free and deny victims justice.”
The Home Office did not comment when asked by Computer Weekly what the justification was for holding records on thousands of individuals when no further police action was taken.
The PNC currently holds information on about 12.6 million individuals, and retains this information until either their 100th birthday or 100 years from the date it was first reported to police, depending on the intelligence category the information falls into.
Read more about police use of technology
- The roll-out of Microsoft 365 to dozens of UK police forces may be unlawful, because many have failed to conduct data protection checks before deployment and hold no information on their contracts.
- Metropolitan Police failed to comply fully with an enforcement notice issued by the Information Commissioner, and despite hundreds of overdue subject access requests the regulator did not take further action.
- Body-worn video integration will transform Lancashire police’s time-consuming and manual procedures into an efficient digital workflow, but claims that BMV will increase transparency and accountability are not backed by the evidence.
Kevin Blowe, a coordinator at the Network for Police Monitoring (Netpol), said the data loss, which has been criticised by sections of the press and politicians for “allowing offenders to go free”, has “certainly led to an outbreak of reactionary pearl-clutching, including from some opposition politicians”.
He added: “If, however, the Home Office is correct and no records of criminal or dangerous persons have been deleted, but only records of those arrested and then released without further action, then there are far more important questions that need answering.
“Why are police keeping huge amounts of personal data that it doesn’t need, apparently on the off-chance that it might become useful as intelligence in the future? How is this not on a par with the police keeping millions of facial images of innocent people on a searchable database, long after the courts ruled that this was unlawful?”
The Home Office similarly did not comment when asked about whether the lost data was retrievable, and whether it had any idea of when the data would be recovered.
Ezat Dayeh, a systems engineer manager at data management firm Cohesity, said: “The bottom line here is that critical data must be protected. It is hard to believe that there is no protection, no backup and no policies that would prevent this kind of data being lost. If they have only just discovered the deletion, then they should be able to recover this data within hours. If not, and if their backup doesn’t stretch back far enough, then questions need to be asked.
“Human error, ransomware or even something as innocent as accidental deletion or a power failure can lead to files not being accessible. But organisations should be regularly backing up their files and verifying that all that data is secure and usable. It’s not just a best practice in data management or an IT issue, it’s an organisational must and a compliance measure that is often required by law.”
The ICO has confirmed to Computer Weekly it received a report of the data breach from the Home Office, which is required by law to happen within 72 hours, and is making further inquires about the incident.
"Personal information must be handled securely by any organisation. When this isn’t the case, the loss of personal data can have far reaching consequences, sometimes beyond the individual whose information has been affected,” said an ICO spokesperson.
The PNC last experienced a major problem on 21 October 2020, going down for more than 10 hours after an electrical power outage.