Royal Gibraltar Police Fined For Unlawful Disclosure Of Personal Data
The Information Commissioner has issued the Royal Gibraltar Police, with a fine of £5,000 in consequence of the unlawful disclosure of personal data, relating to approximately 40 individuals, in breach of data protection legislation.
A statement from the GRA follows below:
The Information Commissioner was notified of the breach by the RGP, in line with their obligations under Part 3, Chapter 4, Section 76 of the Data Protection Act 2004 (“DPA”), which requires notification to the Information Commissioner where a personal data breach is likely to result in a risk to the rights and freedoms of individuals.
The breach relates to personal data contained in pocketbook entries and witness accounts regarding a police investigation, which were erroneously disclosed to the wrong recipient. The investigation into the breaches found deficiencies relating to the security measures that the RGP have in place to protect such personal data. In particular it was found that the RGP breached:
(a) The first data protection principle; (b) The sixth data protection principle; (c) General obligations of the controller; (d) Security of processing; (e) Notification of a personal data breach to the Information Commissioner; and (f) Communication of a personal data breach to the data subject.
The Information Commissioner, Mr Paul Canessa, said “The Information Commissioner’s primary role is to ensure compliance with data protection legislation. A fine is only considered for the most serious cases. In this case, the breaches identified in the investigation were considered serious enough to warrant a fine being issued. Amongst other things, the context of the personal data being processed was considered relevant, namely the law enforcement context, where the disclosure of personal data relating to criminal prosecutions can create a real risk of distress for individuals“.