---
The ICO reprimanded Greater Manchester Police after they self-reported a data breach. In February 2021, a person was held in custody for 48 hours under CCTV surveillance. When that person submitted a Subject Access Request of the CCTV later, GMP discovered two hours of footage was missing.
This led to a self-reported data breach in September 2023 and an ICO reprimand.
What can we learn from this?
The Key Failures:
☝️ Confused responsibilities - Staff were unclear about who should quality-check retained footage
☝️ Missing procedures - No policies identifying quality check requirements or accountability were identified
☝️ Delayed response - GMP failed to provide personal data within the 90 days legal deadline
☝️ Inadequate safeguards - Insufficient technical measures to prevent accidental data loss
Why This Matters:
CCTV footage captures people at their most vulnerable moments - this is personal data which can be highly sensitive and as such requires the strictest protection measures. It is important for police forces and public bodies to maintain public trust by protecting such data.
Practical Takeaways for Your Organisation:
⚠️ Review your policies - Do your staff clearly understand their data protection responsibilities, both as a whole team and as individuals? Are all the roles clearly outlined?
⚠️ Regular quality audits - Are you checking the integrity of stored information?
⚠️ Clear retention procedures - Who is responsible for managing storage periods and deletion schedules?
⚠️ Technical safeguards - What measures are in place to prevent accidental loss or corruption?
Don't wait for a data breach to expose gaps in your systems.
