ICO reprimands West Midlands Police for data protection failure
The Information Commissioner’s Office (ICO) has issued a reprimand to West Midlands Police (WMP) after the force repeatedly mixed up two people’s personal information.
The ICO said on “numerous occasions” throughout 2020, 2021 and 2022, WMP incorrectly linked and merged the records of two people with the same name and date of birth.
“Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime, a breach of the Data Protection Act 2018,” it added.
“This mix-up led to inaccurate personal information being processed and resulted in a catalogue of errors, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child.
“WMP didn’t take steps to rectify the error quickly enough and there was a failure to stop the inaccurate linking of records reoccurring, both breaches of data protection law.”
The ICO also found that there was a lack of regular data protection training and not enough was done to make employees aware of their responsibilities to report any inaccurate personal information.
David Doodson, Civil Investigations Group manager at the ICO said: “It is essential that police forces handle personal information with the utmost respect to maintain people’s trust and confidence in the police. Sharing the same name and birthday as someone else should not mean your personal information is jeopardised, especially given the sensitive nature of the information held.
“This case highlights the importance of training to ensure officers understand data protection law to avoid mistakes like this occurring again.”
He said WMP has since introduced a new data quality policy and produced a “Think before you link” campaign to help ensure accuracy, both steps that the ICO has welcomed.
Recommendations made by the ICO included:
- Maintaining relevant records of its processing activities;
- Taking appropriate action to distinguish the records of the two individuals and prevent further inaccurate linking and merging of records containing personal data;
- Sharing learnings from security incidents across the organisation and reminding employees of relevant security policies; and
- Ensuring employees attend mandatory data protection training in line with WMP policies, including implementing an appropriate action plan to improve completion rates of refresher data protection training.