Police database abused by officers

keyboardWe are barely into 2014, yet we are faced with yet another serious data protection breach concerning a public sector computer. On this occasion, a police officer has been charged with stealing thousands of accident victims’ details from her police force’s computer and selling them to law firms

This case alone highlights that serious need for our courts to issue much tougher penalties for unlawfully obtaining or disclosing personal information, otherwise these cases will continue to occur.

A court has heard that Sugra Hanif accessed Thames Valley Police’s command and control computer to note down the personal details of members of the public involved in road traffic accidents, including the unique reference number each incident was given.

Along with two others, she set up a case management company to sell this information to firms of solicitors who would pay them for a referral fee for each case that led to a successful compensation claim. Each referral fee was said to be between £600 and £800 with the trio earning a total of £36,400 from the 2,456 cases stolen over an eleven month period. However, it was estimated that if all the data stolen had been converted into referral fees, they could have earned more than £1 million.

Currently, unlawfully obtaining personal data is punishable by a fine of up to £5000 in a magistrate’s court, or an unlimited fine at a crown court. Many people will be shocked to learn that people who have been caught illegally accessing other people’s personal information will face such minimal penalties. We have consistently warned about the vulnerability of our personal information and we support the ICO in wanting to see stiffer penalties introduced for section 55 breaches.

The Information Commissioner, Christopher Graham has warned that “Public confidence in the security of information held about them is the foundation on which all sorts of online services and developments depends. The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that.”

It is hardly surprising people choose to ignore the law when the penalties handed down are trivial. It is essential that people who deliberately set out to acquire personal information without permission face the prospect of a jail sentence if people’s privacy is to be protected. Equally, the companies paying these individuals should not be able to turn a blind eye to the methods of collecting the data. They are paying for information and should face the full force of the law if they do not take steps to ensure it was legally acquired.

The Information Commissioner is absolutely right that tougher penalties are needed urgently and Parliament should not delay in giving him the powers he needs to protect our privacy.


  1. Tim Turner
    8th January 2014

    This is not really a ‘data breach’ in the way that this phrase is normally understood. Individuals have been charged with an offence of actively stealing data. This is not the kind of loss / sloppy data handling that ‘data breach’ is usually associated with. It’s not a public sector issue either; data is stolen from (and by) private sector organisations, as the recent ICU Investigations prosecution shows.

  2. A Council of Despair – 2040 information law blog
    8th January 2014

    […] claims. BBW chose to describe this alleged criminal act committed by individuals as ‘Another serious data breach in the public sector‘. ‘Data breach’ is a clumsy, inelegant phrase, often used when ‘security […]

  3. unknown
    8th January 2014

    So are you stating someone who has made genuine human errors on systems should also face the full force of legal proceedings for example simply looking at information without training or support from employer and being neglected by employer not recognising stress and mental illness such as depression is that the persons fault or should more be done to protect the vulnerable people who get on the wrong side for innoncent reasons.
    If the culprits who commit rape and sex offences burglary or drugs get let of lightly why should those that are not clued up on computer and data laws and pure errors be penalised so harsly. I understand if those who genuinely did it deliberately and to cause misconduct or sell information or get a personal gain should be punished but everyone cant be brushed with same punishment..

    • Anon
      14th January 2014

      Anyone who is processing with people’s data have obligations under the DPA whether or not they have additional training (which yes they should have). I find it very hard to believe that anyone looking at someone’s data that they should not be looking at can claim accidental breach. Take for example a receptionist in a medical surgery. She happens to notice that her neighbour is registered with the surgery and takes a quick look at her records. This is a clear breach and not an accident.

      The courts would need to consider whether data breaches are deliberate to steal data (organised crime) or if it is, for example, a one-off and in any way can be viewed as human error.

  4. Tim Thorne
    8th January 2014

    This is not a data protection breach. The Police Officer should be prosecuted for misconduct in public office, which carries a much stiffer sentence.

    • Anon
      14th January 2014

      This is a data protection breach PLUS misconduct in public office. If this is the case then the Police Officer should be prosecuted for both.

  5. Michael Knight
    8th January 2014

    It is a data breach. Data protection is in place for a reason and ANY misuse (especially willingly selling victims data/information) is an offence. We see this also in many call centres where scammers apply for jobs then sell customer data or use it for malicious or Identity Theft purposes. Just because it wasn’t a hack, the information was still manually breached and sold.

    Unfortunately, this happens in many Police stations/departments (as well as NHS/DWP and more) all over the world and the misuse of these databases it very common indeed!

  6. Elena Evans
    8th September 2014

    The Police National Database (PND) can hold information on anyone in this country, none of whom need ever have been convicted of a criminal offence or even known to have been a suspect. It can simply hold information on ‘bad character’ based on malicious gossip by a member of the public or the police or other agencies. There is no means by which a member of the public will ever know what records are held on them on the PND as these are not revealed under Data Protection Laws. Therefore, not only is there a real possibility of abuse – there is no means of catching out the abusers as a subject access request will not reveal if any such record exists let alone what the records might be. In my case, I did discover that my name appears on the PND (an email slip) but I have no access to know why – I have never been a suspect, or broken the law so this is a mystery but an unpleasant one. In this case, what use is the DPA to any of us?