A watchdog has issued a “damning” report into data security failures at the body responsible for overseeing Police Scotland.
As part of a highly critical audit, the Information Commissioner’s Office (ICO) demanded “immediate” action at the Scottish Police Authority after making dozens of “urgent” recommendations.
Scottish Tory MSP Liam Kerr said: “This is a damning report into one of the most important organisations in Scottish public life. It’s absolutely vital that the SPA can be trusted on the issue of data protection, given the sensitivity of what it handles.”
The SPA has national oversight of the single force and both organisations have access to a wealth of sensitive personal data.
In December 2014, the SPA and Police Scotland self-reported an information security breach to the ICO that involved the loss an unencrypted data stick relating to 15 criminal investigations.
The breach highlighted the use of unencrypted devices within the SPA and led to a wider audit of the Authority by the ICO.
According to the ICO executive summary, which was published earlier this month, a teleconference was held in May last year, when Andrew Flanagan was SPA chair, to discuss the scope of the audit.
Three areas - security of personal data, training and awareness, and data sharing - were the focus of the probe and field work was undertaken at SPA headquarters and at the Scottish Crime Campus.
The “overall conclusion” of the audit stated: “There is a very limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment.”
In total, 28 “urgent” priority recommendations were made, 73 “high priority” recommendations were offered, and 17 were categorised as either “medium” or “low”. Of these, 63 related to information security.
Fifteen specific “areas for improvement” were highlighted, such as the SPA not including possible information threats on their corporate risk register.
According to the audit, the SPA does not carry out privacy impact assessments for all new projects and there is no “effective asset management within SPA”.
The ICO found that physical security risk assessments are not conducted across the SPA and there is no “incident management policy”.
The report added: “There is no formal data protection or information security training programme in place for SPA.”
In addition, the ICO concluded that the SPA does not have formal data sharing agreements in place with Police Scotland, the Crown Office and the Police Investigations and Review Commissioner (PIRC), even though the watchdog “regularly” shares information with these bodies.
The report also found that the SPA does not seek consent to share information with third parties where necessary, and does not seek assurance that shared data is deleted or securely destroyed in line with the agreed retention period.
Scottish Liberal Democrat MSP Liam McArthur said: “This is a damning verdict on the SPA’s approach to information governance. The systems in place are patently not fit for purpose and unless sensible changes are made major breaches appear inevitable.”
An SPA spokesperson said: "The ICO audit, conducted last August, highlighted a clear and urgent need for the SPA to improve its procedures to ensure data protection compliance. As a result the SPA has strengthened its information management team and brought in specialist support to address the issues raised by the ICO. The ICO's recommendations are being addressed as part of ongoing work to ensure compliance with new data protection legislation due to take effect on 25 May 2018."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel