Force`s second censure on data protection record for `repeated failings` in training

A force has embarked on remedial action to avert an enforcement notice over a series of data breaches – a year after it was fined £150,000 when an officer accidentally sent details of eight sex offenders to a member of the public. Dyfed-Powys Police has admitted an “organisational failing” after a second censuring by the Information Commissioner`s Office (ICO) – on this occasion for “repeated failures” in staff training. The latest repercussions relate to inappropriate disclosures from three data protection incidents over an 18-month period up to March 2017. One, in August 2016, saw sensitive personal data being passed via open fax message to a GP`s surgery; while a second – last January – involved an officer passing information relating to a councillor and neighbour by email to the clerk of a local council. The last one, which happened prior to November 2015 but was not revealed until March of this year, involved a photograph taken on a mobile phone which showed an officer’s working environment, including a computer screen on which data was displayed. The picture was forwarded to a family member. In all three cases, the officers had received no data protection training – and the ICO discovered in the investigation that 1,204 officers out of a force strength of 2,258 were in a similar position. Chief Constable Mark Collins has given an undertaking to the ICO that he will implement a “force-wide” programme of full training with a back-up refresher plan to “ensure ongoing compliance” under the Seventh Data Protection Principle of the 1998 Data Protection Act. An ICO spokesperson said the force was under a legal obligation to do whatever was necessary to ensure a “safe and secure” data protection environment, adding that the incidents had “determined repeated failures in the training of staff”. While avoiding any immediate enforcement action which could have resulted in another fine, the force will now be the subject to further external examination from the ICO – with a “review of progress” at a later date. Deputy Chief Constable Darren Davies said the force “completely acknowledged the issues highlighted within the undertaking” from the ICO and had already identified the issues and taken steps to address the problems. He said the commissioner had accepted that “remedial action is in place” – therefore “did not take the more serious step of issuing an enforcement notice”. Mr Davies said the force had now adopted a new departmental structure and supervisory model as well as a full training plan ” to address staff awareness”. He added: “I must stress this is an organisational failing rather than individuals being held to blame, and the incidents cover a period between November 2015 to early 2017, where clearly appropriate training and processes had been absent.” In June 2016, the force was handed a massive £150,000 penalty by the ICO for a data protection transgression after an email recipient was accidentally included in five emails intended for an internal message group over four days in April 2015. One email included a list of the eight sex offenders in Powys, including their names, addresses, telephone numbers and emails addresses. At the time of the enforcement action, the then ICO Assistant Commissioner (Wales) Anne Jones said “simple human error” had made been possible by “poor procedures the force had in place around protecting people`s personal data”. Describing the incident as “an accident waiting to happen”, she added: “This is a troubling story, and one that will do little to reassure the local community that its police force can be trusted to look after sensitive information.” After the hefty fine was handed out, Dyfed-Powys police and crime commissioner (PCC) Dafydd Llywelyn gave an assurance that he was “holding Dyfed-Powys Police to account to guard against any possible future breaches of regulations”. He added at the time: “I’m content that, in light of this regrettable incident, the force has made important changes and learnt significant lessons