Force fined £150,000 after email accident waiting to happen leaked sex offenders details
A force has been fined £150,000 after it accidentally sent an email leaking the identity of eight sex offenders to a member of the public.
A force has been fined £150,000 after it accidentally sent an email leaking the identity of eight sex offenders to a member of the public.
The error was made when a Dyfed-Powys Police officer emailed colleagues information on eight people in the force area, including their names, addresses, phone numbers and email addresses.
The message also contained details that inferred those mentioned were sex offenders.
However, the officer mistakenly sent the email to a member of a local community scheme as well after selecting the wrong name in the forces address book.
An investigation by the Information Commissioners Office (ICO) has now found the force lacked sufficient safeguards to keep personal information secure.
ICO also issued the force with a £150,000 fine, which will be reduced to £120,000 if it is paid in full by July 4.
Anne Jones, ICO assistant commissioner for Wales, said: While at first glance this might seem like simple human error, it was made possible by the poor procedures the force had in place around protecting peoples personal data.
This is a troubling story, and one that will do little to reassure the local community that its police force can be trusted to look after sensitive information.
This was an accident waiting to happen. The force failed to take advantage of earlier opportunities to address the problem, and now faces the consequences of getting it wrong.
Even though the address book was only meant to be used for internal emails, ICO found it also contained 85 frequently used contact details for members of the public 45 of which were non-secure.
One of these the recipient in question appeared first in an alphabetical list of names, so she was frequently sent emails in error by the force.
Over just four days in April, she received five separate messages meant for internal recipients.
She alerted the force to this issue herself, and also replied to the emails to advise the sender of the error.
ICO criticised Dyfed-Powys Police for failing to ensure an internal address was the first entry in the global address book, and for allowing it to contain external addresses.
The investigation also found the force failed to provide officers with specific guidance or training on double-checking that an e-mail address is correct before the message is sent.
In its investigation report, ICO said: In this context it is important to bear in mind that in 2008 a sex offender was killed in a vigilante attack unrelated to the data subjects.
If this information has been misused by the person who had access to it, or if it was in fact disclosed to untrustworthy third parties, then the contravention would cause further distress to the data subjects and damage such as exposing them to vigilante attacks and possible relocation to another county.
Dyfed-Powys police and crime commissioner Dafydd Llywelyn said he would be sure to hold the force to account in the future to guard against possible breaches of regulations.
And T/Deputy Chief Constable Liane James said the force accepts that mistakes were made and has begun to make the necessary changes to processes and systems.
She added: We work hard to ensure the safety of the data available to us and will continue to take the learning from this, now and in the future.