Crime Victims’ Data Leaked By UK Police Forces In FOI Responses

In a concerning revelation, Norfolk and Suffolk Police have admitted that personal data belonging to over 1,000 individuals, including victims of crime, has been inadvertently included in responses to Freedom of Information (FoI) requests.

The two East Anglian constabularies have attributed this breach to a “technical issue” which led to raw crime report data being embedded within a “very small percentage” of FoI responses dispatched between April 2021 and March 2022.

This incident raises important questions about data security and shows the need for robust measures to safeguard sensitive information.

A Data Dilemma

The leaked data spanned a range of criminal offenses, including sexual offenses, domestic incidents, assaults, hate crimes, and thefts, effectively putting the personal identifiable information of victims, witnesses, and suspects at risk.

The leak brings into sharp focus the necessity for strong data protection protocols, especially in cases where the sensitive nature of the information requires confidentiality.

According to Suffolk Police, the raw data was nestled within an Excel spreadsheet, hidden from casual view within the files.

This implies that a conscious effort was needed to locate and access the concealed information. Despite the apparent security mechanism, concerns remain about the implications of the a data breach, as unauthorised access to this information could have serious consequences.

Reassurances Amidst Uncertainty

The affected police forces have tried to allay concerns by saying that there is currently no evidence to suggest external parties, beyond law enforcement, have managed to access the exposed data.

This attempts to stop a potential fallout, but the incident echoes a similar breach by the Police Service of Northern Ireland, which inadvertently disclosed personal details of approximately 10,000 officers and staff members.

In a joint statement issued by Norfolk and Suffolk Constabularies, it was acknowledged that the inclusion of raw data within FoI responses was a result of the technical issue, which concealed the data from casual viewers, but should never have been included. The statement laid out the steps being taken to address the breach, including an analysis of the compromised data and the initiation of a notification process for individuals affected by the breach.


Vulnerable Victims Seek Anonymity

A particularly worrying aspect of the breach is its impact on victims of sexual offenses, who are entitled to lifelong anonymity under the law.

This breach raises questions about the strength of existing safeguards for sensitive personal information and highlights the urgency of reinforcing protective mechanisms for vulnerable individuals.

Accountability and Action

Assistant Chief Constable of Suffolk Police, Eamonn Bridger, conveyed a heartfelt apology on behalf of the forces, acknowledging the distress caused and committing to rectifying the situation. Tim Passmore, the Police and Crime Commissioner for Suffolk, expressed his apologies as well and pledged to conduct a comprehensive review of the constabulary’s information-sharing processes to prevent a recurrence of such incidents.

The Information Commissioner’s Office (ICO), the regulatory authority overseeing data protection, has initiated an investigation into the breach. Stephen Bonner, deputy commissioner at the ICO, commented on the gravity of the situation, emphasising the pivotal role data protection plays in safeguarding individuals’ privacy.

Bonner also revealed that the ICO is concurrently investigating another breach reported in November 2022, showcasing the persistent challenges organisations face in securing sensitive information.

Lessons for Data Security

As the fallout from the Norfolk and Suffolk Police data breach unfolds, it serves as an important reminder of the ever-present need for robust data protection measures.

The incident showcases the necessity for organisations to remain vigilant, ensuring that both technical and procedural safeguards are in place to protect personal and sensitive information from unauthorised access.

While investigations are underway and accountability measures are being taken, this incident highlights the ongoing need to prioritise data security in an increasingly digital age.