The Information Commissioner’s Office (ICO) has imposed a Civil Monetary Penalty of £150,000 ($241,000 or 184,000 EUR) to the Greater Manchester Police, after the agency failed to take appropriate measures to protect personal data.
The law enforcement agency exposed the details of over 1,000 individuals connected to serious crimes investigations after a memory stick had been stolen from the home of an officer. Although the drive contained sensitive data, it had no password protection.
The ICO has identified a number of officers who utilize memory sticks to copy information from work computers but fail to properly encrypt them to ensure that the details stored on them cannot be misused in case the devices are lost or stolen.
The Commissioner was displeased with the fact that the police force didn’t take any measures to train staff in data protection or set restrictions on downloading information, despite a similar security breach which occurred back in 2010.
“This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,” David Smith, ICO director of data Protection, said.
“It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.
“This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.”
Since the Greater Manchester Police paid the fine on October 15, shortly after the penalty was imposed, it benefited from an early payment discount and handed over only £120,000 ($193,000 or 147,000 EUR). The money is not kept by the ICO, but goes to the Treasury’s Consolidated Fund.