Recently, the Information Commissioner took enforcement action against the Chief Constables of three East Midlands police forces who failed in their data protection obligations, in establishing a collaboration scheme set up to pool unit resources and share expertise.
Whilst the benefits (and sometimes the necessity) of collaboration are apparent, parties involved in any collaborative project should be alert to their data protection responsibilities and ensure appropriate safeguards are in place.
The East Midlands Collaboration Unit ("EMCU") comprises five regional police forces. In August 2010, its headquarters were, ironically, burgled and the laptops of eight officers on secondment were stolen. The laptops contained the personal data of over 4000 people, including files relating to prison records.
The Data Protection Act 1998 requires "appropriate technical and organisational measures [to be taken]… having regard to the state of technological development and… cost… [so as to] ensure a level of security appropriate to the harm that might result from… accidental loss [of data]… and the nature of the data to be protected."
Given the sensitivity of the personal data potentially compromised, suitable measures were not taken by the members of the EMCU in this instance: the laptops were not locked away, two of them were unencrypted and a risk assessment was not carried out in terms of the officers' remote deployment of the laptops.
The Information Commissioner's investigation into the EMCU data breach suggests that its failings primarily stemmed from a lack of proper planning. Before a collaborative programme is entered into, the following should be considered in order to achieve data protection compliance:
- What is the purpose of the collaboration? Does this afford a basis for data sharing among collaborators?
- If data sharing is necessary, who is responsible for what?
- Assuming that each collaborator has its own policy, which policy is being followed?
- Are staff suitably trained in respect of data protection issues?
- Has a risk assessment been undertaken to identify the nature of the data concerned and the security in place to protect it?