ICO investigates after Vodafone accidentally sends more than a thousand phone records to the Met who wanted details of just one number
Vodafone accidentally sent the mobile phone data of more than 1,000 News UK employees to the Metropolitan Police Service (MPS), which had asked for information about just one journalist as part of an investigation into bribes made to public officials in exchange for confidential information.
The Met issued a warrant under the Regulation of Investigatory Powers Act (RIPA) to Vodafone in October 2013 as part of Operation Elveden, requesting the outgoing call data of a journalist who was under investigation.
The operator handed over the information in March 2014, apparently unaware it had supplied the records of other phone numbers on the News UK corporate account. Both Vodafone and the MPS informed the Information Communications Commissioner’s Office (IOCCO) of the error, but in September the Met revealed it planned to analyse the extra information.
Vodafone said the data requested by the MPS was several years old and stored on legacy systems making retrieval a “complex” process. It blamed the accidental disclosure on “human error”, which resulted in the Met being handed a “corrupted dataset” unreliable for analysis and urged the police force to delete it.
“Once we and IOCCO were made aware in late September that the MPS intended to use the erroneously disclosed data, we urged that the MPS should delete all of the erroneously disclosed data under the appropriate statutory Code of Practice,” Vodafone told TechWeekEurope. “We also immediately began an internal investigation to analyse the material contained within the corrupted dataset.
“Our analysis revealed that the corrupted dataset was not coherent and lacked integrity, with columns of metadata incorrectly transposed and erroneous metadata included.
“Vodafone informed the MPS that, in our view, because of the corruption of the datasets these data should not be used for any investigations or prosecutions and also indicated that we would not be prepared to provide a witness statement in support of any such action.”
Vodafone said the data has since been returned by the MPS “unused” and says it has been regular contact with the Information Commissioner’s Office (ICO) which has launched an investigation into the breach after being informed by the IOCCO and could hit the operator with a hefty fine.
“We are making enquiries into the circumstances of the alleged breaches of the Data Protection Act and the Privacy and Electronic Communications Regulations before deciding what action, if any, needs to be taken,” an ICO spokesperson told TechWeekEurope.
The Newbury-based firm says it has addressed the “human error” that resulted in the breach and stressed that only details about the calls were disclosed, not the actual content of any communications. It also says that age of the data involved and the processes required to obtain it were a key factor in the blunder.
“To be clear, the unusually old age of the data required in response to this particular warrant from the MPS meant that we had to retrieve the metadata using different processes from those we normally use: we have no concerns with regards to the integrity of any other disclosures required under RIPA,” it said.
What do you know about UK mobile operators? Find out with our quiz!