In March 2009, a BBC Wales investigation revealed that serious data security breaches have occurred at three of the four Wales police forces. The breaches were revealed when BBC Wales made Freedom of Information (FOI) requests to the four Wales forces: Dyfed-Powys Police, North Wales Police, South Wales Police, and Gwent Police. Three of the forces responded with details of the breaches, while South Wales Police refused to release information on the grounds that it would be too expensive to administer.
The breach at Gwent Police involved the loss in May 2007 of a data CD containing the details of 2,319 victims of crime. The data included names, addresses and contact details for victims of offences such as theft and burglary. The data CD was sent in a sealed envelope to a company who carry out satisfaction surveys on behalf of the force, but when the envelope was opened the CD was not there and subsequent searches failed to locate it. It is understood that the unmarked CD was password protected but press reports vary as to whether the data was encrypted.
North Wales Police revealed four incidents where staff had access to police computer systems without authorisation and six incidents of unauthorised or accidental disclosure of personal details. At Dyfed-Powys Police, it was revealed that sensitive information regarding a member of the public had been accidentally sent to an unrelated person after a paperwork mix up. The force also reported six separate incidents of employee computer misuse where staff had inappropriately accessed personal records, leading to the dismissal of one member of staff.
For a company to be compliant with the Data Protection Act, they must ensure that appropriate measures are taken to guard against unauthorised or unlawful access to or use of personal data. Speaking to the BBC, Assistant Information Commissioner for Wales Anne Jones said “We will be contacting the relevant authorities to establish the facts and where necessary, we will not hesitate to take enforcement action.”
According to a recent report from Audit, Tax, and Advisory group KPMG there were 427 incidents of data loss in 2008 worldwide, affecting 92 million people. The KPMG Data Loss Barometer report also predicted that this figure would soar to 190 million in 2009. According to KPMG Partner Malcolm Marshall, “Data loss trends are set to increase through 2009. With increasing economic pressures creating budget constraints, companies will be more vulnerable to the risk of data loss and their consequences.”
“We anticipate an increase in the number of malicious data theft attempts,” he added. “The organisations that will be most severely affected are those who share most data with external providers and other third parties.”
The breaches revealed by BBC Wales highlight the importance of strong and well enforced data security guidelines for any firm dealing with sensitive data. The guidelines should control the way in which staff access and use sensitive data and address the transport and management of data offsite to minimise the risk of theft or accidental loss. Steps should also be taken to carefully monitor employee computer use in order to swiftly detect incidents of unauthorised action. Where such actions are uncovered, firms must be sure to publicly enforce guidelines, which may involve calling in computer forensic experts to recover evidence of such actions that may be used in a court of law or employment tribunal.