The ICO recently reprimanded South Yorkshire Police (SYP) after 96,000 pieces of body-worn video evidence were deleted. The incident highlights a crucial principle of data protection - safeguarding information isn’t only about preventing breaches, but also mitigating loss. The investigation found delayed backup policies, poor record keeping, and unassessed risks when transferring data between systems. The deletion affected 126 criminal cases, three of which were directly impacted.
The ICO’s findings highlight four core areas where organisations should focus their efforts to prevent similar incidents:
Backups and recovery: Maintain robust, tested backup solutions with clear restoration procedures. Regularly review and escalate issues to senior management.
Change management and risk assessment: Before system upgrades or migrations, carry out risk assessments to identify and mitigate potential impacts on data integrity and availability.
Third-party oversight: Clearly define roles and responsibilities when contractors or suppliers access systems, and ensure appropriate supervision and contractual safeguards are in place.
Accurate and traceable record keeping: Keep data and files consistently labelled, logged, and auditable to avoid uncertainty over what is stored, copied, or deleted.
