ICO takes enforcement action against Chief Constables after personal data breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.computing.co.uk/ctg/news/2285233/ico-takes-enforcement-action-against-chief-constables-after-personal-data-breach

The Information Commissioner's Office (ICO) has urged policing staff
that work in specialist collaboration units to receive data protection
training, while it warned the units themselves to be adequately
secured.

The ICO has tried to increase awareness in the area after its
investigation of a breach at the East Midlands Collaboration Unit. It
found that a number of unencrypted laptops containing sensitive
personal data were stolen from an office in August 2010. The laptops
had sensitive personal data relating to about 4,500 offenders from
across three forces.

As a result, the ICO has taken enforcement action against the Chief
Constables of Leicestershire, Derbyshire and Nottinghamshire Police.
In a blog post, Meagan Mirza, group manager of the public security
group at the ICO, said that there was no formal basis for sharing of
personal data at the unit, and no recognition that the forces remained
responsible for the data they were processing.

"In many cases it wasn't clear why the information was needed in the
first place and this was compounded by the fact that there was no
clear identified purpose for the unit. While many of these issues have
now been addressed, the lack of planning around the set-up of the unit
is concerning," she said.

The forces were served with an enforcement notice committing them to
ensure that no personal data is shared with any other data controller
as part of a collaborative project with some exceptions, such as: if
laptops or other mobile devices used by officers working on
collaboration projects are encrypted to protect any personal data
processed on those devices; and if all officers have received training
on the security requirements of the Data Protection Act.

The ICO has raised its concerns to the Association of Police Officers
(ACPO), and it expects that the ACPO will review and update guidance
to police forces on collaborative working.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.