First published: 17th April 2010
A Gwent Police Officer is facing an investigation for gross misconduct after accidentally emailing a spreadsheet containing personal details of over ten thousand people to a journalist at online tech. publication The Register. The journalist's address was saved by the Officer's Novell email client after it was used for submission of two unrelated Freedom of Information requests last year. The autocomplete function inserted the address in the Cc field, instead of the address of the intended Police colleague when the Officer sent a file to Police officials. The file, which was not encrypted or password protected, contained 10,006 records of people applying for or in jobs that require a Criminal Records Bureau (CRB) check. The Register cooperated with Gwent Police in deleting the file, but declined to comply with their request not to publish a story reporting the incident.
The incident has been reported to the Independent Police Complaints Commission and the Information Commissioner, as required under the Data Protection Act. Investigators have exonerated the system design, and blamed human error. Yui Kee's Chief Consultant, Allan Dyer, commented, "While the officer concerned made a momentary addressing error, the fact that such a small mistake could have serious consequences indicates that there are system design improvements to be made." Some areas that could be considered are:
- Autocomplete This is a convenience feature in many email clients, but it often leads to addressing errors. This becomes more likely when the autocomplete allows partial entry of the name OR email address, as the possibility of multiple matches increases. A mistake becomes harder to detect if the email client only displays the "friendly" name without the "technical" address, that contains the clue it is being sent to a different organisation than the one you expected.
- Data Dissemination Could the Officer have sent a link to where the data was stored? Why didn't the intended recipients of the data have access to the location it was stored in? It seems unlikely that five people could use over ten thousand records before they became outdated, so either live access to the original data, or a statistical summary of the data at a particular time is required; not a full copy with lack of timeliness and potential for mishandling.
- Database Export Why was it possible for so many records to be exported from the database by an ordinary user (unless the spreadsheet was the database, in which case the question is why was inappropriate software being used to manage the data)?
- Protecting Confidentiality Sensitive data should be covered by a policy requiring it to be encrypted in transit. Apart from the possibility of the file being erroneously sent out of the organisation, only a small number of Gwent Police Officers needed the information, so, given its sensitivity, shouldn't it be encrypted on the internal network?