Police Data Breach Disasters

The country awoke this morning to news that a processing error had caused 150,000 records to be deleted from the Police National Computer system (PNC) – along with highly sensitive information including fingerprint and DNA profiles and individual’s arrest histories. The PNC is essential for modern day policing to function efficiently, as it is the means by which criminal justice information and records are shared between the country’s disparate Police Forces.

The Home Secretary clearly has major questions to answer as to how such an error was allowed to occur, one which caused the UK’s visa approval system to be suspended for 2 days, in addition to the obvious constraints it placed on ‘real time’ Policing duties, especially in the context of British Police Forces having lost access to European criminal databases following Brexit.

Whilst the obvious concern arising from this story is the lack of relevant information being available to Police officers who may need it, proper data management of criminal justice records must include not only the preservation of essential information but also the accurate and timely deletion of false or wrongfully obtained records, which by their presence can cause an individual as much trouble as the lack of relevant records can in another context.

Many of my clients quite rightly hold key objectives both winning compensatory damages from the Police for wrongs committed against them and also ‘clearing their name’ – not only in the sense of the moral vindication of receiving an admission of liability, payment of damages or apology, but also the deletion of their sensitive personal data from the PNC, including biometric information and the facts relating to their wrongful arrest/ prosecution, which if not deleted could cause untold grief in terms of future job or travel visa applications.

Often, it seems to me that the Police system of reviewing and deleting such records is subject to far too much human error itself in the form of vast amounts of delay and a lack of clarity as to the circumstances in which records will be deleted, giving Forces a wide discretion to refuse deletion or to take far too long to carry it out.

Take for example the case of my client “Richard Knight” (name changed), who applied for deletion of his records via the Criminal Records Office (ACRO) following a successful claim for damages for false imprisonment, settled after the issue of Court proceedings. Richard is  man of good character, and was especially concerned to have his records for this wrongful arrest deleted, as they related to a false allegation that he had attempted to solicit a woman for sex.

I submitted his request via ACRO in March 2019, with the following grounds providing multiple justifications for immediate deletion/ destruction of not only his biometric data but also the record of the arrest and the allegations accompanying it –

  • The PNC entry/record was entirely in consequence of an unlawful arrest.  Court proceedings were instituted against the Commissioner of Police of the Metropolis. As a result of the legal claim, settlement terms were agreed in the form of  compensatory damages.  Whilst formal liability was not admitted, the payment of damages at all was indicative of the merits which attached to that claim.  Further, the value of the damages agreed corresponded to the value of the claim, had it been admitted or otherwise resolved by formal judgment.  The Police were also liable for all legal costs arising from the claim.  As a general principal, it would be utterly perverse if a PNC entry was retained in such circumstances.
  • No crime –  Mr Knight had manifestly not engaged in any form of criminal misconduct.
  • Malicious/false allegation – Mr Knight maintained that the account provided by the complainant was untrue and wholly unreliable. 
  • Public interest –   The presence of an arrest record was wholly incompatible with the guaranteed presumption of innocence under the Common Law and the associated guaranteed rights under the European Convention on Human Rights.  Any PNC entry in this particular instance would be a perversity, given the outcome of the civil proceedings brought against the Police. 

ACRO are, in reality, little more than a ‘post box’ organisation (you might say – nothing more than an ‘ACROnym’) whose role is to forward deletion requests to and from the relevant Police Forces. Mr Knight’s application was passed to the Metropolitan Police but it took over 18 months before, in November 2020, his request was finally approved on the grounds of ‘Public Interest’ and the PNC record was deleted.

Until that time, Mr Knight had to live with the knowledge that any Police or other governmental service checks against his name might throw up the stigma of his arrest for a ‘sex crime’ despite his vindication through the civil courts.

Thankfully the situation is now resolved, but perhaps after the Home Secretary has repaired the damage caused by this week’s data loss, she should focus on her equally important responsibility to ensure that inaccurate data, especially concerning false allegations of crime, is not retained for one day longer than is necessary, let alone for years.

Author: iaingould

Actions against the police solicitor (lawyer) and blogger.