The Chief Constable of Humberside Police has signed an undertaking to comply with the Seventh Data Protection Principle.
ICO case reference: COM0649315
DATA PROTECTION ACTION 1998
Data Controller: HUMBERSIDE POLICE
I, Lee Freeman, Chief Constable, of Humberside Police, for and on behalf of the Humberside Police hereby acknowledge the details set out below and undertake to comply with the terms of the following undertaking:
1. Humberside Police is the data controller as defined in section (1) of the Data Protection Act 1998 (the ‘Act’), in respect of the processing of personal data carried out by Humberside Police and is referred to in this Undertaking as the ‘data controller’. Section 4(4) of the Act provides that, subject of section 27(1) of the Act, it is the duty of
the data controller to comply with the data protection principles in relation to all personal data in respect of which it is a data controller.
2. The Information Commissioner (the ‘Commissioner’) was informed by the data controller on 5 October 2016 about the loss of ‘Achieving Best Evidence’ interview disks and written notes about an alleged rape. The disks were not encrypted or password protected. The disks had been created by Humberside Police after an interview
was conducted on behalf of another Force.
3. It is an expectation of the Commissioner that organisations provide training to their staff members so that they understand their responsibilities under the Act, and that this training is refreshed regularly. Such training reduces the likelihood of data breaches occurring.
4. During our investigations into this incident the data controller confirmed that there are Data Protection and Information Security modules included in the NCALT training package. However, completion of this training module was only made mandatory in 2017.
5. Of the three officers involved in this incident two received NCALT training in 2010/2011 and the third has not received the NCALT training at all.
6. It was confirmed on 14 September 2017 (13 months after the force became aware of this incident) that the Force’s compliance rate, in relation to data protection training, was only 16.8%.
7. The Commissioner’s investigation revealed that the data controller does not have a reliable method of monitoring the completion of training or refresher training.
8. In May 2013 the Commissioner conducted an audit of the data controller. One of the areas for improvement highlighted by the audit was that the data controller should provide mandatory Data Protection and Information Security training with regular refresher training to maintain current knowledge and to make staff aware of
the risks relating to non-compliance with Principle 7 of the DPA. The data controller provided an update at the audit follow up stating that training had been evaluated and would be given on a three yearly basis.
9. Whilst there is a training package in place, introduced in 2015, the Commissioner remains concerned at the data controller’s failure to implement training and refresher training and to implement an effective mechanism to monitor uptake of that training.
10. The Commissioner’s investigation also found awareness of DPA policies, certainly in some departments, was lacking at the time of the incident.
11. The Commissioner has considered the data controller’s compliance with the provisions of the Act in light of this matter. The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act.
12. Following consideration of the remedial action that has been taken by the data controller, it is agreed that in consideration of the Commissioner not exercising her powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follows:
The data controller shall, as from the date of this Undertaking and for so long as similar standards are
required by the Act or other successor legislation, ensure that personal data are processed in accordance with the
Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
(1) The data controller shall ensure that all current staff members responsible for the handling of personal data
should receive appropriate, specific data protection training. This process should be completed within six
(2) In addition, the data controller shall ensure that all staff members who regularly handle removable media,
such as CD ROMs, DVD ROMs and USB memory sticks, receive training about the use of encryption including
when it is appropriate to use encryption and how to encrypt.
(3) The data controller should ensure that such training should be refreshed annually.
(4) The data controller shall ensure that all new staff members responsible for the handling of personal data are
given appropriate, specific data protection training upon induction.
(5) The data controller shall devise and implement a system to ensure that completion of data protection
training is monitored, and that procedures are in place to ensure that staff who have not completed training within the specified time period do so promptly. This should be completed within three months.
(6) The data controller should ensure that DPA policies and procedures are promoted and made available to staff in all departments that handle personal data.
Head of Enforcement
For and on behalf of the Information Commissioner