Jan 052011
 
 January 5, 2011  Breaches, Non-U.S.

Jack Blanchard has more details on the results of a freedom of information request on police in Yorkshire, UK, mentioned in a previous post on this blog. Revelations concerning medical data are posted to phiprivacy.net, but here are some of the non-medical disclosures for the regions four police forces:

Humberside Police said 31 members of staff had been disciplined for inappropriately accessing data over recent years, including a CID “serious crime” officer who received a written warning after running criminal record checks on his own nephew.

Other cases at the force included a traffic officer who checked the criminal records of his mother’s neighbour after his mother was burgled, and an incident resolution officer who looked up details on his step-daughter’s new boyfriend. Only one of the 31 was dismissed.

[…]

Neighbouring North Yorkshire Police confirmed 39 cases where staff and officers have been reprimanded over the past 36 months.

[…]

South Yorkshire Police detailed 48 cases stretching back to 2005. Most officers involved received warnings or “management advice”, but several either resigned or were ordered to do so. West Yorkshire Police said there have been 22 cases of its officers receiving reprimands for inappropriately accessing data, plus a further 26 cases of police staff committing unspecified “misuse of computer offences” over recent years. Two of the officers were asked to resign and another demoted.

The force said these results did not include the written warnings it sent in November to around 70 members of staff who had accessed the criminal records of a TV talent show contestant following a string of lurid allegations about her in the tabloid Press….

And seven of Yorkshire’s 22 local councils have admitted staff have been caught inappropriately accessing data about members of the public over the past three years. These included two at Wakefield Council who looked up information on family members – one of whom was fired – and two at Doncaster Council, including one who looked up details on an ex-partner. There were also isolated cases among staff at Hull, North Yorkshire, North-East Lincolnshire and Kirklees Councils.

At Rotherham Borough Council, two staff members were caught committing offences, including an audit and finance officer who resigned after being caught accessing the records of 72 neighbours out of “personal curiosity”.

Read more in the Yorkshire Post.

Snooping is a recurring problem across countries and sectors. These types of incidents remind us to be leery when governments want to create large databases containing personal or sensitive information that thousands of people will have access to. These types of incidents also remind us to critically examine whether access controls are set properly and whether logs are being audited for unauthorized access or exceeding authorized access.

I realize that these cases are not as “sexy” as huge data breaches involving millions of records. But these are the breaches that affect our everyday lives — do you really want your neighbor to be able to access your personal information while they’re at work because they have access to a database and are “curious?”

In a recent case in California, the conviction of a public servant who exceeded authorization to a government database was upheld. In that case, discussed previously on this blog, the employee snooped for personal reasons, with consequences for others who were the target of his snooping.

These cases need to be taken very seriously – more seriously than just a warning.l

Sorry, the comment form is closed at this time.