Lost USB stick costs police £120,000
Greater Manchester Police has been fined £120,000 for losing a USB stick containing data on more than a thousand people – despite a previous incident leading to an “amnesty” on unencrypted memory sticks.
The Information Commissioner’s Office fined the police force £150,000 – but offered a £30,000 discount for early payment – after an unencrypted memory stick holding data relating to an investigation was stolen from an officer’s home in July 2011.
The device held personal data on 1,075 individuals with “links to serious crime investigations”. While the ICO admits not all of the data was sensitive, the ICO redacted even the description of the sensitive aspects in its own notification document.
The officer in question – who worked mainly in the drugs squad of the Serious Crime Division – was given an encrypted memory stick by the force in 2003, which he used to back up his files and carry key documents with him when out of the office. However, the officer replaced the USB stick himself for a larger capacity one – but without encryption.
The incident follows a similar data breach in 2010. After that, the force banned unencrypted memory sticks, holding an “amnesty” leading to 1,100 devices being turned in. However, the officer who was burgled was on leave during the amnesty, so continued using his unencrypted device.
“This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,” said David Smith, the ICO’s director of data protection. “It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.”
Greater Manchester Police has now installed security software blocking data from being transferred to “unauthorised” USB devices, the ICO noted.
The ICO has been criticised for issuing heavy fines – so far, almost all to public sector bodies – when budgets are already being cut.
Earlier this month, the head of an NHS patient information group suggested the fines hitting the health service were already hurting patient care. This time, the ICO pointed out that it doesn’t keep the fine, but hands it over to the Treasury.
While a single stolen memory stick with a limited amount of sensitive data may seem hardly worth a six-figure fine, the ICO noted that the officer wasn’t the only one ignoring data rules. “At the time of the security breach, a significant number of officers across the Force were routinely using such devices although the Commissioner accepts that they were not necessarily storing sensitive personal data,” the ICO said.
In the official notice, the ICO defends its decision to levy a fine, saying the incident was “likely to cause substantial damage and/or substantial distress” – but admitted there was no proof the data had been used. The USB stick has still not been recovered.
“This is a substantial monetary penalty, reflecting the significant failings the force demonstrated,” Smith added. “We hope it will discourage others from making the same data protection mistakes.”