ACPO – the Association of Chief Police Officers – are inviting people to send online data protection subject access request including copies of proof of identity, such as passports or bank statements over an insecure http connection. This is almost certainly in breach of ACPOs obligations under the Data Protection Act.
One of the most important rights under data protection law is that of “subject access”. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it. It was, for instance, through exercise of this subject access right that six journalists recently discovered that they were on the National Domestic Extremism and Disorder Intelligence database. The DPA recognises the importance of this right by enshrining it in its Schedule One Principles – the sixth principle obliges data controllers to process personal data in accordance with data subjects’ rights under the Act.
The following principle – the seventh – is the one which deals with data security, and it requires data controllers to have appropriate measures in place to safeguard against loss of personal data. The Information Commissioner’s Office (ICO) explains why this is important:
Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include
– fake credit card transactions;
– witnesses at risk of physical harm or intimidation;
– offenders at risk from vigilantes;
– exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence…
But a tweet yesterday (22.02.15) by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection.
This is such a basic data security measure that it’s difficult to understand how it has happened – and to confirm their identity people are being encouraged to send highly confidential documents, such as passports, over an unsecure connection. The ICO points out that
Failure to provide the first assurance (encryption) means that any sensitive information transmitted will be viewable via any computer system on the route between the two systems
At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping. The ICO was copied in to subsequent tweets, and it will be interesting to see what action they take.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
I recently came across a change of circumstances form on a local government gov.uk domain that was collecting name, email address, phone number, current address, former address and National Insurance number across http.
I told that organisation who said:
“it would seem that whilst the form itself was not flagged to route via https, there is a proxy redirect on the firewall which means that all data coming in and out of our site is routed automatically via https.”
I wasn’t reassured by that so reported it to the ICO. I would not expect them to take any action against ACPO on the basis of this:
“As you know, the Data Protection Act 1998 (DPA) places an obligation on organisations processing personal data (‘data controllers’) to keep that personal data secure. Principle 7 of the DPA states that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The basic obligation on organisations is therefore to take appropriate measures to ensure that personal data is held securely and safely. The DPA does not specify detailed processes to be followed by organisations in dealing with their customers so there is unfortunately no simple rule or process which all organisations must follow. Instead, each organisation needs to implement its own appropriate procedures taking into account factors such as, for example, the type of information collected, and the nature of the business involved. In this case, there is no specific requirement under the seventh principle of the DPA for online forms to be hosted over an HTTPS connection.
Furthermore, the issue you have raised does not suggest any wider concerns about ‘s information rights practices. It would appear that they have taken steps to ensure that adequate security measures are in place.
There is no indication that has deliberately or persistently ignored its obligations or caused significant actual or potential detriment through its information rights practices.
As a result of this, we have not raised your concern with and are not taking any further action in relation to your concern.”
Sadly, you may be right.
Pingback: Police website asks for data protection requests over HTTP connection - IT SECURITY GURU
Pingback: Police website asks for data protection requests over HTTP connection
Pingback: ACPO: contractor’s error, or data controller’s liability? | informationrightsandwrongs
Pingback: Police website displays "jaw-dropping" lack of security | ITProPortal.com