Personal data of 10,000 individuals sent to wrong email address

Gwent Police have been investigated by the Information Commissioner’s Office (ICO) for a data breach involving the personal data of 10,000 individuals.

An employee of Gwent police emailed a spreadsheet containing the criminal records bureau enquiries of 10,000 individuals to a journalist by mistake. The name of the journalist was populated automatically in the system as the name was similar to one of the staff members to whom the spreadsheet was to be emailed. 863 of the records indicated that personal data was recorded but no information about the nature of the criminal records was included in the spreadsheet and no personal data was identifiable.

An investigation by Gwent police found that the staff member had failed to follow the IT policy of not sharing personal information if it is not necessary and using passwords when transmitting personal data.

Gwent police have signed a formal undertaking with the ICO agreeing to implement a number of measures to prevent such breaches occurring in future including:

• Technological measures to prevent inappropriate auto completion of addresses in internal and external email accounts;
• Technological measures which will enforce the marking of documents which are intend for transmission by email;
• Where there is a real need for sensitive personal data to be shared, direct and secure access to the database concerned should be used and if there is no option but to send the data by email, only the absolute minimum amount of identifiable data is to be sent via a secure email account;
• The prohibition of generic passwords; and
• Staff shall be made aware of the force’s restriction on the use of sensitive personal data.

Comments are closed.