Management > Identity

Records management tops ICO police data control concerns

Neil Merrett Published 04 June 2015

Data regulator report into audits of 40 police forces find 54% of compliance recommendations completed, with further 30% "in progress"


The Information Commissioner's Office (ICO) has identified police records management as the most limited area of assurance concerning data protection compliance in law enforcement, based on audits of some 40 forces in the UK.

In a report compiling all 40 audits and 30 follow-up exercises conducted by the data regulator concerning the work of police forces, the ICO said it was "encouraged" that 54% of data protection recommendations from its initial audits has been completed.

The ICO also noted that an additional 30% of its audit recommendations to police were in progress or partially completed
"The ongoing programme of ICO audits has allowed forces and the commissioner to gain assurance regarding the way personal data is being processed as well as identifying underlying risk; however, analysis of our follow-up activity shows that some of the key areas highlighted by these audits are yet to be fully addressed," said the document.

"Failure to do so leaves the potential for data breaches and should such a breach result from the failure to accept or fully implement one of the ICO's recommendations then this may be reflected in the level of regulatory action taken."

The report said that in terms of key challenges for forces, records management was the area that showed the most limited assurance levels in terms of police capabilities, as well as having the fewest number of audit recommendations completed during follow up actions.

The data regulator cited the case of an unnamed force, which later faced a Civil Monetary Penalty for leaving confidential audio/video tapes and case information in a former police station that went unoccupied for three years, as an example of risks facing police over records management.

In terms of its key concerns over records management, the ICO cited a lack of refresher training plans and controls or process to ensure more secure disposal of electronic and manual records. It also pointed to there being no information asset register or information asset owners.

Outlining recommendations for the storage, retention and disposal of records, the data regulator called on forces to implement processes for logging and tracking the movement and security of manual records, while reviewing existing retention and disposal schedules for data to ensure accuracy.

Among its wider recommendations for police forces in ensuring compliance with the data protection act, the ICO report suggested:

  • Conducting staff awareness campaigns and refresher training on records management, information security and data protection
  • Holding regular checks and periodic security audits including manual records overview
  • Ensuring appropriate version control, document change history and review dates on key data policies
  • Introducing appropriate polices and controls to ensure data is not uploaded or downloaded to unauthorised media devices
  • Reviewing access to hardware such as printers, laptops USBs and body warn cameras
  • Reviewing information systems regularly to take account changing employment statuses of staff

Of 40 polices forces to be audited by the ICO, the report found that two were rated by the regulator with having 'high assurance' surrounding data protection, with an additional 24 organisations classed as having 'reasonable assurance'.

The reaming 14 forces audited were found to have 'limited assurance', although no police organisations surveyed had 'very limited assurance' - the ICO's lowest rating.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.