Hot on the heels of the major data breach in August of this year when thousands of officers’ personal information was accidentally leaked via a spreadsheet, the PSNI has once again found itself on the naughty step and received a slap on the wrist from the Information Commissioner following revelations of personal information having been unlawfully shared by the PSNI’s Extradition Unit (EU) with the United States Department of Homeland Security (DHS). Information on 174 individuals was apparently routinely shared over a four year period between 2016 and 2020 to inform the DHS of their intentions to visit the USA “for the purpose of disrupting travel arrangements which resulted in data subjects being refused entry”.
As any seasoned privacy practitioner will tell you, the sharing of personal information with a third party organisation is not necessarily the problem in itself – but you must be able to reasonably justify the sharing and demonstrate that the necessary legal conditions have been met. And the PSNI had clearly failed to do this.
The ICO’s report (or “reprimand” as it’s diplomatically referred to here) is a readable and succinctly summarised five page document), so I won’t go into too much detail here, but suffice to say it’s a perfect lesson in how not to comply with data protection laws.
This paragraph is particularly astonishing:
“Personal data was routinely sent to the US via email, without encryption or password protection. Whist there is no evidence to suggest the personal data was inappropriately accessed, the investigation found that personal data was processed without the appropriate security being applied.”
A police force sending non-encrypted data of a potentially sensitive nature across the Atlantic beggars belief. As any expert will confirm, if you’re sending personal information by email to outside your organisation’s network (let alone a different jurisdiction) as a you must ensure it is encrypted with some level of protection. To quote the oft-repeated cliché – an email is about as secure as postcard.
International data transfers particularly between the US and Europe have historically posed something of a thorny issue. The clear power imbalance when it comes to the big tech giants (with almost all of the main cloud platform providers including Amazon Web Services (AWS), Microsoft Azure and Google Cloud being American companies) has been the subject of much legal wrangling over the years. The fact that the data involved was not just names and addresses, but highly sensitive information such as details of criminal convictions and biometric data (eg fingerprints, facial recognition, iris scans, etc) and therefore “special category” makes it all the more disturbing.
Interestingly enough, the ICO makes a typographical error in its statement which seems to be something of a Freudian slip:
“The investigation found despite PSNI having polices (sic) and guidance in place on how personal data of this type should be handled to ensure the appropriate security of that personal data was applied, EU staff failed to follow the correct process”
Of course this is not the first time the PSNI has been in the headlines concerning sensitive information on criminality in America. The infamous “Boston Tapes” affair, although not connected to the current case was about information flowing in the other direction across the Atlantic. But that’s a whole other story.
And it’s not the only police force to come under scrutiny from the Information Commisioner following inadequate handling of personal data. Constabularies in Surrey, Sussex (recording of phone conversations), London (inadequate handling of sensitive files), Cumbria (accidental publication of officers’ details online) and Kent (unsatisfactory processing of information requests) have all been found wanting in recent years in the field of data security.
And it’s also been happening on the other side of the border. The Irish Data Protection Commissioner issued a reprimand after information on “persons of interest” was unlawfully accessed by a contractor who was carrying out repair work at a garda station.
So let’s hope that the PSNI’s new chief constable, unlike some of his predecessors places an emphasis on improving data protection and cybersecurity practices within the force.
Ciaran Ward is from Co. Tyrone and is now based in London where he works in the data protection/cybersecurity field. His latest book “On Square Routes”, a collection of memoirs, travel writing, short stories and poetry has just been published and is now available from Amazon.
He very occasionally blogs and tweets at https://dreamingarm.wordpress.com/ and @CiaranWard73
