The Information Commissioner has issued the Royal Gibraltar Police with a fine of £10,000 following various breaches of the Data Protection Act 2004 and the EU GDPR.

A statement from the GRA follows below:

The Information Commissioner has issued the Royal Gibraltar Police (the “RGP”) with a fine  of £10,000 following various breaches of the Data Protection Act 2004 (“DPA”) and the EU  General Data Protection Regulation 2016/679 (“EU GDPR”), as the applicable law at material  times relating to the matter.  

The breach relates to personal data held by the RGP, including data relating to current and  previous employees, as well as information relating to law enforcement matters. Aside from a  breach of unlawful disclosure of personal data, the investigation found issues relating to the  security measures in place to protect personal data, as well as the RGP’s retention periods in  respect of the same.  

The Information Commissioner was notified of the breach by the RGP, in line with their  obligations under Part III, Chapter 4, Section 76 of the DPA, which requires notification to the  Information Commissioner where a personal data breach is likely to result in a risk to the  rights and freedoms of individuals.  

The RGP also notified data subjects as required by Part III, Chapter 4, Section 77 of the DPA,  which provides that where a personal data breach is likely to result in a high risk to the rights  and freedoms of individuals, the controller must inform the data subject of the breach without  undue delay. The latter was however found to have been carried out with unjustified delay. 

In respect of personal data processed for law enforcement purposes, it was found that the  RGP breached: 

(a) Sections 48(1) and 48(2) of the DPA - The fifth data protection principle, which relates  to storage limitation. 

(b) Section 49 of the DPA – The sixth data protection principle, which relates to data  security. 

(c) Sections 65(1) and 65(2) of the DPA – General obligations of the controller. (d) Section 70 of the DPA – Records of processing activities.  

(e) Section 75 of the DPA – Security of processing.  

(f) Sections 77(1) and 77(2) of the DPA – Communication of a personal data breach to  the data subject.  

In respect of personal data processed for employment purposes, it was found that the RGP  breached: 

(a) Article 5(1)(e) of the EU GDPR – Principles relating to processing of personal  data (i.e., storage limitation).  

(b) Article 5(1)(f) of the EU GDPR – Principles relating to processing of personal  data (i.e., integrity and confidentiality).  

(c) Articles 24(1) and 24(2) of the EU GDPR – Responsibility of the controller.  (d) Article 30 of the EU GDPR – Records of processing activities.  

(e) Article 32 of the EU GDPR – Security of processing.  

(f) Articles 34(1) and 34(2) of the EU GDPR – Communication of a personal data  breach to the data subject. 

The Information Commissioner, John Paul Rodriguez, said “The importance of protecting  personal data must not be underestimated. Where personal data is processed in contexts such  as that of law enforcement, unlawful disclosures through lack of security measures can have  particularly significant negative repercussions on data subjects. The severity of the breaches  identified in this matter are of concern, and, whilst the RGP appear to be taking steps towards  improving their data protection operations, I very much hope the imposition of this fine serves  to avoid any future breaches of this type.”