West Midlands Police – Violation Found (United Kingdom, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On numerous occasions throughout 2020, 2021 and 2022, West Midlands Police (WMP), a large regional police force, incorrectly linked and merged the records of two data subjects with the same name and date of birth on multiple occasions. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime. This led to inaccurate personal data being processed on WMP’s systems and resulted in a number of incidents, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child. On 12 July 2022, WMP sent a letter to one individual that was intended for the other, disclosing that they had been a victim of an assault. At this time, the recipient was aware of the data accuracy issue on WMP’s systems and that this letter related to an individual who shares their name and date of birth and lives in the local area. ICO found that WMP did not take steps to rectify the error quickly enough and there was a failure to stop the inaccurate linking of records reoccurring, both breaches of data protection law. Considering the security incident, WMP have failed to demonstrate that they have kept personal data secure in relation to the other incidents affecting these two individuals. Due to the lack of appropriate records of these incidents, WMP do not know whether personal data was disclosed, including information concerning criminal offences. Also, WMP failed to demonstrate that they have ensured the accuracy and security of personal data relating to the two individuals in this case. WMP did not hold adequate records of the incidents relating to the accuracy and security of these individuals’ personal data. The ICO found that there was a lack of regular data protection training and not enough was done to make employees aware of their responsibilities to
GDPR Articles Cited
On numerous occasions throughout 2020, 2021 and 2022, West Midlands Police (WMP), a large regional police force, incorrectly linked and merged the records of two data subjects with the same name and date of birth on multiple occasions. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime. This led to inaccurate personal data being processed on WMP’s systems and resulted in a number of incidents, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child. On 12 July 2022, WMP sent a letter to one individual that was intended for the other, disclosing that they had been a victim of an assault. At this time, the recipient was aware of the data accuracy issue on WMP’s systems and that this letter related to an individual who shares their name and date of birth and lives in the local area. ICO found that WMP did not take steps to rectify the error quickly enough and there was a failure to stop the inaccurate linking of records reoccurring, both breaches of data protection law. Considering the security incident, WMP have failed to demonstrate that they have kept personal data secure in relation to the other incidents affecting these two individuals. Due to the lack of appropriate records of these incidents, WMP do not know whether personal data was disclosed, including information concerning criminal offences. Also, WMP failed to demonstrate that they have ensured the accuracy and security of personal data relating to the two individuals in this case. WMP did not hold adequate records of the incidents relating to the accuracy and security of these individuals’ personal data. The ICO found that there was a lack of regular data protection training and not enough was done to make employees aware of their responsibilities to
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for West Midlands Police in UK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. West Midlands Police - United Kingdom (2024). Retrieved from cookiefines.eu
Last updated: