ICO: Police authority breached Data Protection Act

Lancashire Police Authority broke data protection laws by publishing a complainant's personal information on its website, the Information Commissioner's Office said on Tuesday.

According to the watchdog, the police authority not only put two documents detailing the complaint online in full without removing key information, but also failed to remove that information for four days after the complainant notified them of the issue. In doing so, the authority breached the Data Protection Act.

A spokesman for the ICO would not give further details of the case, other than to say there had been "a dispute between the complainant and the police authority involved".

In a statement on Tuesday, the ICO said it had ordered the police authority to check and correctly redact any information due for release on its website, and that the authority had agreed to bring in a new staff policy explaining what they had to do when told of a possible data protection breach.

"While it is important that public authorities are transparent about the work they do by publishing information online, this should never be at the expense of an individual's rights to privacy," ICO operations director Simon Entwhistle said in the statement. "There can be no excuse for publishing someone's personal information online, and the fact that the authority failed to remove it when told makes this case all the more concerning."

Entwhistle added that the case should serve as a warning to all public authorities that information security should be prioritised across their organisations.

A report released earlier this month by privacy activists Big Brother Watch showed that, over the last three years, 904 police employees have been subjected to international disciplinary procedures for Data Protection Act breaches.