'Serious' data breach at Gwent Police
17 Apr 2010
Gwent Police and the Independent Police Complaints Commission are investigating a breach of data security where information about individuals subject to criminal records checks was emailed to a journalist by mistake.
Records of thousands of individuals applying for sensitive jobs was mistakenly emailed to a journalist at The Register, an online IT news service.
The Microsoft Excel spreadsheet, which was not encrypted or password protected, contained the full names and dates of birth of 10,006 people in jobs or applying for jobs where a Criminal Records Bureau (CRB) disclosure wass required, dating back to 2001.
The results identified 863 people as having a criminal record and detailed their occupations, including dozens of taxi drivers, school and hospital workers.
The Register contacted Gwent Police who visited the site’s offices in London where the file was deleted in front of the force’s Professional Standards Department officers.
The mistake is said to have occurred when the author of the email — a member of the force’s CID data management unit — used the auto-complete function in Novell’s email software to include the journalist’s address along with those of five Gwent Police officials in the “CC” field of the message. The Register email address had been automatically saved by the system after it was used to submit two unrelated Freedom of Information requests last year.
Gwent Police confirmed the email was sent in February with the sensitive attachment by one of its senior staff members who has been suspending pending the outcome of an enquiry.
Deputy Chief Constable Carmel Napier said she was very grateful to The Register for alerting the force on April 9. She added the force has strict policies and procedures in place relating to Data Security and blamed human error for the mistake.
“We are very sorry that we have on this occasion failed to meet our own high standards. “
Gwent Police confirmed the personal details contained in the attachment were names, dates of birth, title of post applied for and some administrative details relating to the progress of the application.
A statement on the force’s website says it has acted quickly and decisively to protect the public.
An internal investigation under the supervision of the Independent Police Complaints Commission has commenced and the relevant regulatory bodies (Information Commissioner, Criminal Records Bureau, Home Office, the Independent Police Complaints Commission and Gwent Police Authority have been notified.
A group has been established, led by chief officers, who will personally ensure that lessons learnt are implemented immediately.
“Gwent Police are satisfied that the public and their personal data are not at risk, however, in view of any concerns members of the public may continue to have, we have set up a dedicated helpline to offer further reassurance.”
The Chair of Gwent Police Authority, Mrs Cilla Davies added: “The Police Authority has been kept fully informed throughout and is satisfied that the chief constable's immediate and decisive action is dealing with this unfortunate situation appropriately.”
The Register claimed Gwent Police asked it to consider not publishing a story about the data breach saying it would undermine public confidence in the force, but it declined.