‘Serious shortcomings’ were identified in how the force stored and handled security camera footage.
The Information Commissioner’s Office has criticised the UK’s third largest police service over how it dealt with footage recorded over a 48-hour period in February 2021. The Professional Standards Directorate of Greater Manchester Police [GMP] requested that video of an individual detained in custody for two days be kept for longer than the standard 90-day storage period, meaning it became subject to access request processes.
This entitles anyone to demand an organisation supplies all data held relating to them. When the person detained in custody made this request it emerged that two hours of the original recording had been lost. As a result, GMP self-reported a personal data breach to the ICO on 5 September 2023.
A subsequent ICO investigation then concluded that GMP failed on its duty to safely store and facilitate the sharing of data held on a person, and did not ‘ensure that the appropriate technical or organisational measures were in place to protect the accidental loss of the CCTV data it was processing.’
Two key failings were identified in particular. These were widespread uncertainty and a lack of clarity around which staff carried the responsibility to keep hold of CCTV footage, and poor guidance on checking and quality control processes.
‘CCTV footage, particularly of a person at their most vulnerable, can contain highly sensitive personal data and must be properly protected,’ said ICO’s Head of Investigations, Sally Anne Pool. ‘It is vital that authorities like police forces have the strictest measures in place to protect personal data to maintain public trust. It is clear in this case that Greater Manchester Police failed its obligation to keep the complainant’s personal data safe and demonstrated serious shortcomings in how it handles CCTV footage.’
GMP has since taken steps in response to the breach. These include the introduction of stronger policies around CCTV footage retention, improved governance, policies and processes, and ‘proactive investment’ in better technology infrastructure on which CCTV systems and networks run.
‘We note the findings made by the ICO as to our processes, procedures and oversight of training relating to retaining personal data captured on custody CCTV in 2021,’ a GMP spokesperson said. ‘We have fully co-operated with the ICO’s investigation and have implemented changes in avoidance of further infringements, recognising the importance of securely handling personal data so as to safeguard against its accidental loss.’
Image: Joe Gadd / Unsplash
More on Data Management:
Redefining theft: AI bill suffers second fail as Lords demand protection
Cyber threats outpace government defences, says parliamentary report
What we don’t know about automated decision-making in government
Leave a Reply