Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
In two recent decisions just before Christmas, the Information Commissioner issued enforcement notices on law enforcement organisations – one, on 14 December 2023, on Greater Manchester Police, and one, on 20 December 2023 (but published 18 January 2024), on the Crown Prosecution Service.
The first enforcement notice relates to GMP’s continued non-compliance with FOIA requests, following a practice recommendation made in February 2023. While GMP made some improvements as a result – and now appears to be responding to 80%+ of requests on time – it had not cleared its extensive backlog of nearly 1,000 FOIA requests, more than half of which were over a year old. GMP’s suggestion that it would seek to clear this backlog by December 2024 did not cut much ice, especially in circumstances where the resources to be given to that plan were not guaranteed.
The enforcement notice requires GMP to clear its backlog by 31 July 2024, as well as devise and publish an action plan for how it would do so within 5 weeks of the notice. Because it is a FOIA enforcement notice, the penalty for breach would be certification to the High Court by the IC. The High Court could then deal with GMP as though it was in contempt of court.
The IC also commented on GMP’s approach to internal reviews, particularly regarding timeliness, although had no powers to make an enforcement notice in this regard (since internal reviews are not statutory, but a matter of good practice).
The second notice, for the CPS, was under s.149 Data Protection Act 2018, in respect of the sixth data protection principle (on appropriate technical and organisational measures) within Part 3 of the DPA on law enforcement processing. It related to the copying by a CPS employee of CPS file data about historic child sex abuse, in March 2018, onto an unencrypted USB owned by the employee. The original purpose of the copying was to share it with another CPS employee. This was apparently in breach of the CPS’ Electronic Media Policy, but the IC did not accept that it was outside the scope of the employee’s duties. The USB was not passed to another CPS employee but appears to have been given to a non-CPS employee, albeit without any intention of sharing the material on it. When the inadvertent disclosure outside the CPS became apparent, the CPS employee seems to have self-reported, and the CPS then reported to the IC and alerted those affected (the redactions to the published notice make it difficult to ascertain the exact sequence of events). There was no impact on the related criminal proceedings.
The IC’s investigation identified a number of technical issues with CPS systems and procedures. Most notably, the CPS allowed self-procurement of USB devices, without supervision or asset management, and without everyone with the capability to download significant quantities of unencrypted data also having the ability to use encryption software. The IC considered that this was a breach of the sixth data protection principle. He decided to issue an enforcement notice given the nature of the data involved, the absence of basic measures such as asset control and encryption, and the fact that the CPS have since reported further breaches involving loss of portable storage devices. (The CPS was also fined previously under the DPA 1998, in 2015 and 2018, the latter for loss of two unencrypted discs containing the interviews of a victim of sexual offending). The requirements of the notice were that within three months, the CPS should implement a range of technical and organisational measures preventing the use of self-procured portable storage devices, procuring, distributing and asset managing CPS-procured devices, ensuring those devices are compliant with security requirements, and generally limiting their use given the existence of secure file transfer alternatives. Breach of the requirements of this enforcement notice could lead to a financial penalty.
Two things are notable about this notice: the first is that it has taken almost five years to be issued, following an initial report as far back as November 2018. That is startlingly slow, and it seems likely that the position regarding use of portable storage devices has changed substantially since then. Second, the IC did not impose an outright monetary penalty, consistent with his published approach to enforcement of public sector bodies which limits such penalties only ‘in the most egregious cases’. One perhaps has to wonder whether an enforcement notice more than five years on, in circumstances where fines have previously been issued for similar breaches, really acts as a deterrent. There has also been limited publicity, including no publicising of the amount that would have been levied but for it being a public sector organisation, contrary to the IC’s published approach.
Nonetheless, taken together, these two decisions do highlight the IC’s continued interest in the law enforcement sector, and serve as a salutary warning for law enforcement organisations in relation to both FOIA and the DPA.
Further reading:
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.