ICO Fines South Wales Police Over Sex Abuse Evidence Loss

police handcuff security crime keyboard © Oleksiy Mark Shutterstock

DVDs containing an interview with a victim went missing from a desk, and the loss was unreported for two years

The Information Commissioner’s Office (ICO) has fined South Wales Police £160,000 over its loss of a video recording that formed part of the evidence in a sexual abuse case.

ICO has also asked the force to sign an undertaking to implement policies to prevent the recurrence of similar incidents.

The force conducted a recorded interview in August 2011 with a victim who had been sexually abused as a child, with the recording being stored on multiple DVDs.

ICO logo square

“Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer,” the ICO noted.

When an office move took place three months later, the discs were discovered to be missing, but this security breach went unreported for nearly two years due to what the ICO termed “lack of training”. The DVDs were stored in a secure part of the police station, but the force had “no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations”, the ICO said in a statement.

A second interview was abandoned due to the victim’s distress and the DVDs haven’t been recovered, according to the ICO. The defendants involved were, however, later convicted in court.

Procedural failure

The privacy watchdog said the force’s failure was in not having “robust procedures” in place to protect such highly sensitive information.

“The organisation has failed to take all appropriate measures against the unauthorised processing and accidental loss of personal data,” said Anne Jones, assistant commissioner for Wales, in a statement. “The monetary penalty given to South Wales Police should send a clear message that organisations have to take responsibility for personal data and the way in which it is stored.”

Police data lapses

The ICO lashed out at UK police forces last year in a report detailing numerous lapses, following an audit of how British policing organisations handle personal data. Only one of the unnamed forces audited earned a “high assurance” rating.

The audit followed an incident in which the Metropolitan Police admitted to accidentally exposing more than 1,000 crime victims’ email addresses.

Earlier this year Google agreed to change its privacy policy for UK customers following an ICO investigation into the harvesting of personal information.

Are you a security pro? Try our quiz!