The ICO Audits Staffordshire Police

We are drowning in information and starved for knowledge.

― Author Unknown


One of the many advantages of being a member of IODPA is the availability of expert knowledge on a variety of topics, all relevant to police injury pensions.

One way we assist our members is by informing them of their rights as ‘data subjects.’

The term ‘data subject’ refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an individual whose personal data can be collected.

In the course of an officer’s career, their force accumulates considerable quantities of information about the individual. In the case of injury-on-duty pensioners that accumulation of data does not stop on their retirement – their force keeps on gathering it.

Trouble is, some forces don’t look after the personal information they acquire.

It is fair to say that data protection law rarely springs to the forefront of injury-on-duty pensioners minds. That is understandable, but when we see that a large and professional organisation, seems to have little knowledge of how the law requires them to manage the huge quantities of data they acquire and store, then we begin to worry.

One such deficient organisation is Staffordshire Police, which has just been shockingly revealed to be in dire need of improving its data handling processes and procedures.

The Information Commissioner’s Office has recently published its Executive Summary of a Data Protection Audit which it conducted of Staffordshire Police. You can read it here.


The report concludes Staffordshire Police could provide only limited assurance that,

processes and procedures are in place and delivering data protection compliance.

Moreover, the audit identified,

considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.

The ICO report is also critical of Staffordshire Police’s lack of a data protection policies, a lack of awareness of arrangements for sharing information, out of date information about data protection on its web site, failing to advise people about fair processing of personal information, an inability to show that information held was accurate and up to date, no publication scheme covering freedom of information requests and responses, and a low training rate of employees on data protection.

That covers pretty much all of the areas of data protection law, and shows that Staffordshire is failing in all of them.

What this means for injury-on-duty pensioners can be best illustrated by recounting some of the experiences of our members.

We are told of swathes of personal information being lost or destroyed, including important records confirming entitlement to an injury pension.

We are informed of the opposite – of Staffordshire unnecessarily retaining huge quantities of sensitive personal financial and medical information relating to former officers, and in some cases, relating to third parties such as family members.

We hear of long delays in responding to Freedom Of Information Act requests.

We are notified of inaccurate information being held, and of very sensitive personal information being accessed by employees without the permission of the data subject.


The situation is so bleak within Staffordshire Police that some of our members have been compelled to make formal complaints to the Information Commissioner’s Office. It is our understanding that these complaints will reveal even more deficiencies in Staffordshire’s handling of personal information.

The ICO report advises, ‘The matters arising in this report are only those that came to our attention
during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement.’

IODPA believes that Staffordshire is only one of many forces who are failing in respect of data protection.

The Information Commissioner’s Office provides a valuable and important safeguard of injury-on-duty pensioners’ data rights and we applaud the ICO for its work and for bringing the deficiencies of Staffordshire Police into the light of public knowledge. The findings of the ICO’s initial audit are, we hope, a salutary wake-up call to Staffordshire and to all other forces who casually process so much personal information whilst starved of knowledge of data protection law.

The ICO Audits Staffordshire Police
Tagged on:     

19 thoughts on “The ICO Audits Staffordshire Police

  • 2018-08-30 at 6:41 pm

    ‘Hello Captain, you’re home early, just in time for Countdown. I’ll put the kettle on and we’ll watch it together. Have you had a good day at the office? I assume by your lack of reply the answer to that is no? Come on, come and sit down, there’s some Twiglets on the sideboard I know you like them. RPENSNOIE what can that be? I know PENSIONER, that’s a good one, all nine letters. What have I said now, what’s that face for.’ ‘You know very well mum, it’s those bloody pensioners, they’re getting on my nerves, I mean is it to much to ask them to sacrifice their pensions for the greater good?’
    ‘Well son, you’ve been trying very hard to persuade them but for some reason they don’t seem to want to starve and live on the streets.’ Didn’t you have some more reviews today? How did they go? Maybe the SMP managed to reduce a few?’ ‘Nope, she cancelled the whole day and we couldn’t get anyone else to come and do the reductions, so that’s another month’s pension they will get without having to work for it.’ ‘Oh dear son, that’s three you’ve lost this year, what’s going on, are you sure you’re doing the right thing? I mean if you can’t get an SMP to work for you what are you going to do? I mean you keep threatening this reg. 33 business but you haven’t done it, you told them all you had taken legal advice over it and were going to explain it over your tea party but no one came. Did you get that legal advice or were you just trying to spoof them?’ ‘Well I did ask but you know what lawyers are like, never want to commit themselves, no guarantees blah blah blah. I could do with that principle solicitor working for us, I bet he knows what to do. Andy seems to think the same as me.’ ‘I thought he’d get a mention somewhere along the line. Really son are you sure you should be putting so much faith in a human remains assistant, I mean what has he achieved so far?’ ‘Well he’s written some cracking letters to the pensioners, really got them running scared.’ ‘I know he’s done that son but has he done it within the data protection laws, they’re very strict now you know and from what I hear he’s putting his name on all the letters that have been sent out and demanding that they only contact him and telling them what they’ve got to do. He’s acting quite the boss it seems to me.’ ‘Well, yes he was sending everything out until recently but he thought it was probably best if he kept a low profile for a bit, you know get someone else to put their name on the letters, you know just in case.’ ‘I hope he’s not using yours son, you’re in enough bother with the ICO after their audit as it is?’ ‘No mum, not mine, I’m just the big Chief.’ ‘You’re certainly that son and being the big chief brings its responsibilities, I hope this doesn’t come back to bite you, you know when things hit the fan.
    See they got pensioner as well, a lot of points for that.’

  • 2018-08-16 at 3:25 pm

    ICO have identified quite a bit in the report and it really is quite damning – great stuff, but are they just going to stop there or pursue this like has been said above – Heads should be lopped off, big fines and bad press for the force management’s overall standing.
    I really hope a follow up results in action these are the only things that will make other forces sit up and listen.
    However I think very little will happen in the near future. I would wait with baited breath but know I could never wait that long.

  • 2018-08-15 at 4:52 pm

    In 2002, the Force Solicitor employed by Staffs Police at that time refused to supply me with records from my own Occupational Health file, in breach of Data Protection legislation, which had been in force for a few years. It took an official complaint which resulted in DCC David Swift writing to me after the enquiry by a Superintendent in the Professional Standards Unit. I am looking at Mr Swift’s letter now and in it he says: “Quite clearly there was a Force Procedure dealing with ……. these had not been followed and your observations have resulted in a formal structure being implemented which will undoubtedly prove beneficial to all. May I take this opportunity in thanking you for raising these issues…”
    Fast forward 16 years to the ICO audit. Did Staffs Police learn any lessons from its historical mistakes? NO!
    I have not been the only one affected but we must fear for the general members of the public of Staffordshire as well as those former officers blighted by such incompetence.
    If I was travelling along the A34 in Staffs doing 70mph in a 60 mph area then there is an absolute guarantee I would receive deserving punishment. Will Staffs Police receive any punishment for its misdemeanours? Lets see if the ICO has any teeth.

  • 2018-08-14 at 8:04 pm

    So we had Northumbria first and now Staffs breaching data protection! So the ICO have carried out an audit and have evidence of non compliance and they have made recommendations? But what next? If they still don’t comply then a prosecution?………….

  • 2018-08-13 at 4:21 pm

    Absolutely Bang on the Money. I bet criminals details are handled with far more care than those of the current or former employees.

  • 2018-08-13 at 12:27 pm

    If Morgan had any kind of proper copper’s savvy he would have made sure his own house was in order before embarking on this fiasco. After all, he had previous experience of Data Protection shortcomings in Avon & Somerset so there can be no excuse for getting it completely wrong a second time.
    The fact that he has failed to learn any lessons from the past just goes to show how completely arrogant and incompetent he really is.
    But of course , he is not a proper copper is he? – Just a petty politician in police uniform who cares more about his own career than he does about serving or retired officers.
    Staffs IODs should continue to stand firm and act lawfully whilst this clown blunders around apparently believing he is above the law.

  • 2018-08-13 at 9:20 am

    Staffordshire Police is being grossly mismanaged by a Chief Constable who is so utterly inept that it looks increasingly likely that he will have to be forced to quit.
    Fortunately for the public the recent ICO audit has shown that Morgan is completely unable to run a large organisation safely and lawfully.

    The ICO report is damning, it shows that this clueless man has provided zero leadership and direction to his staff and simply doesn’t understand what his legal obligations are in respect of data protection.

    There is no guidance, no policy and no process that this man has put in place and quite simply he is breaking the law on a daily basis.

    No wonder the threats, hissy fits and tantrums when disabled pensioners push back against the bloated Morgan , its starting to unravel and he is simply trying to bluff his way out.

    Intervention from the Home Secretary must now be called for, Sajid Javid must act to remove this disastrous man from public office and a line must be drawn under his rule of sheer incompetence and bullying at Staffordshire Police and I urge people to petition the Home Office to act swiftly.

  • 2018-08-13 at 9:09 am

    It looks like Staffordshire Police have yet to grasp the concept – personal information held by them does not belong to them. They can’t just do whatever they like with it. It belongs to the data subject.

    The data holder will usually need the explicit permission of the data subject to conduct any ‘processing’ of the information.

    Processing is all-encompassing. It includes copying the information, reading it, moving it, acting on it and even retaining it.

    The Information Commissioner’s Office has explained this very succinctly: ‘The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing.’

    There are some exceptions which allow processing without explicit consent, but if an organisation wishes to use an exception then they are obliged to tell the data subject which exception they are relying on.

    In regard to information held relating to retired former officers forces such as Staffordshire can have no legitimate reason or excuse to process anything other than the bare details needed to contact the individual and to make payment of their pension. All other information which the force might wish to use in any way would need to explicit consent from the former officer.

  • 2018-08-13 at 8:46 am

    Well well well, Staffordshire Police are certainly in the spotlight . IODPA members, spread the word regularly about current situations affecting pensioners, and this just about sums up SP…they don’t give a damn about your data..they think it’s perfectly ok to send your medical notes, in advance to the SMP, even though you have given explicit instructions to stop processing it. Then lo and behold, the SMP has your file on the desk, but squeaks ‘ I haven’t looked at them’….haha, a bloody joke
    Well, Mr Morgan, you are now being exposed more than ever, for the liar you are…good luck..because you are going to need it….NOT the pensioners. They are acting lawfully …you Sir, quite clearly are not!

  • 2018-08-13 at 8:33 am

    Bravo ICO. Yet more failings by Staffs. When will it ever stop? The matter of the GDPR that came in at the end of May is an interesting one. Many of us (if not all) will have had a number of emails or letters about data being held by the various people we’re connected with in some way. Some even felt bombarded, but at least we were kept well informed about the GDPR and given and opt in/out choice, given a link to go to in order to read more, or specifically asked for consent. In a way, it was comforting that the various companies had taken the time to get info out to everyone. I haven’t received anything from my force. Has anyone else? And has it been of good quality and informative?
    Wake up Staffs! And any other force that feels the regs don’t apply to them! If my bank, the supermarket and even my dentist can be bothered to ask me about how my information is held and used, then so should you!

  • 2018-08-13 at 12:04 am

    I made a SAR to Police Scotland months ago, the usual format. No acknowledgement until I requested one. They then asked for individual names, gave them a list of about 30. These relate to the years of discrimination & bullying I experienced as a part time officer.
    6 weeks later PS send a blanket refusal stating that providing the info could interfere with potential misconduct investigations. I do havd a complaint against 9 officers including PSD which PSD have been “investigating” for 27 months.
    I pointed out that some of these named individuals are now retired so how can they refuse the information? That was 4 weeks ago, still no response.
    This information will prove how I was treated, crucial for my IOD PMAB on 6th October.
    I’ve complained to ICO.

    I would complain to the Scottish Police Authority, the oversight body responsible for PS however they are also ignoring the SAR I submitted to them 3 months ago. My complaint originally went to them but they kept it for 8 months before refusing to investigate. There are no minutes held of the Complaint Handling Committee hearing to make this decision. That’s because there was no meeting. Several retired senior officers now work for the SPA, I’m quite sure there are a few emails between them and their old mates in the force.

    When I found out about the set up for PMAB hearings I was shocked, apparently it’s legal and ethical for the lawyer representing the force at my employment tribunal to appear at my PMAB.

    I wrote to the head of the SPA regarding this, attaching various documents including medical information. This was clearly marked confidential and for the sole attention of the Chair. This Chair was new, brought in to promote “openness and transparency “.
    Eventually I received a response from an SPA lawyer, dismissing my concerns. It was clear he had accessed all the info. I wrote back protesting, he apologised and assured me the info would go straight to the Chair.

    Eventually I received a reply from the CEO stating the Chair was happy with how my info had been handled and he would now pass it to the Complaint team with my permission. I pointed out the lawyer had stated HE had already passed it to the Complaint team.
    Eventually the CEO replied to say yes the team already had it, did I want it dealt with or not?
    Police Scotland and the SPA have already been criticised by the Information Commissioner but it seems they’re not that fussed.

    Recently the SPA asked if 2 observers could attend my PMAB along with the force lawyer and 4 doctors. If I couldn’t afford legal fees I would be facing 7 people all determined to look after the force, for 3 hours. I retired on mental health grounds due to the harassment.

    Thank Christ for IODPA as dealing with these jackals is horrendous, love and good luck to everyone fighting back.

  • 2018-08-12 at 11:16 pm

    So finally the curtain opens and a chunk of light falls on the abuses of power by Staffordshire Police!

    Many of the former police officers suffering abuse, purely by being Injured on Duty, have long known what the ICO has started to reveal about Staffordshire Police!

    There are numerous cases of unauthorised access to our personal data, of leaks, of a force, especially it’s Legal Services who think they are above the law and can ignore ICO decisions and direct instructions from us not to process our data.

    Then there is the case of the ‘One hundred and twenty seven boxes’.
    Of more & more desperate activities by SP to hide the fact that they destroyed most of the data on their former officers and as a result cannot carry out reviews lawfully.

    It’s why they are intimidating & bullying so many IOD’s. They need these pensioners to crack & provide the info they destroyed and then add insult on injury by using it to steal their pensions, plus keeping it till the IOD is 100! This, of course is despite instructions to the contrary from us.

    Well SP, data is your Achillies heel & we Staffs pensioners who are resisting you, your Trojan horse. We are well inside your systems now & what we find together with your pathetic attempts to deny the ICO, only strengthen our hand when we complain. There is a lot more to come!

    You are running out of excuses Morgan.
    The SMP’s abandon you; Pensioners ignore you; finally the ICO is becoming interested and of course, your threats of Reg 33 are worthless.

    Who will be the fall guy, when this farce ends Morgan? Ellis will protect his own back, as he sees his future as a MP.
    So it will be either you or Coley, unless the Home Office pulls him out first!

    Bet you wished you’d never come to Staffordshire with your sharp practice eh!

  • 2018-08-12 at 10:58 pm

    I despair, this arrogant man, this police force think it’s perfectly ok to do what ever they see fit, they make it up as they go along and ,think they are exempt from the regulations which are in place, their money saving plan of review and reduce the injury pensions is very quickly going down the pan, instead of saving money, their irresponsible actions and could not care attitude, is going to cost them slot of money …..No doubt CC Morgan and his cronies will think they can wriggle out of the mire they are in….

  • 2018-08-12 at 10:50 pm

    The public criticism of Staffordshire Police by the ICO might lead to other parties who have an interest in the way in which SP operates it’s data policies, also generating a few questions for them. Who would have thought that the legal representatives of SP’s regular clients might be considering cases that will also make SP squirm – now that would be a turn up for the books. If as many interested parties as possible could get the bit between their teeth we might just see a little compliance. Who cares who actually drives the nail home, as long as it’s in the right coffin Let’s keep our fingers crossed. Now is not the time for us to back down.

  • 2018-08-12 at 10:23 pm

    Since this audit, the new General Data Protection Regulations has been enacted, which places many more responsibilities on the part of holders of data and significantly strengthens the rights of individuals as to how their personal data is used.
    If Staffordshire Police were failing to comply with the DPA, one can only imagine what an audit would reveal regarding their compliance for the GDPR
    The maximum penalties for failing to comply with the new GDPR legislation are significantly increased over those for the Data Protection Act.
    Staffordshire Police are playing with fire, essentially what the ICO audit (most probably just the tip of the iceberg) reveals is a police force that is failing to comply with the law.
    This is a very serious matter indeed, heads should roll.

  • 2018-08-12 at 9:49 pm

    ‘Captain, so pleased you’re home. I’ve been looking at that IODPA website and see they’ve published the ICO audit report on Staffordshire Police. It’s not very good, it seems to be saying that you’re not much good at looking after data.’ ‘It’s all rubbish mum, the ICO won’t do anything about it, I mean it’s only advisory and like I told you before if anyone complains we ignore them and they’re so old they forget all about it. Do I look bothered?’ ‘Well son, they’ve made urgent and high priority recommendations and some ordinary ones too, it sounds like they’re not best pleased with you? And with those IODPA people publishing the findings it will make those pensioners aware that not all is well. Still, I suppose there is one good thing, they didn’t publish your photo this time.’
    ‘Those bloody pensioners, I’m going to sack the lot of them.’ ‘You can’t son they’re pensioners, they’ve retired already; some of them have been badly injured looking after the public; you remember the public and your duty towards them?’ ‘My duty is to sort them out and get their pensions off them, then use it on some worthwhile purpose like I told you before. I’m going to reg 33 the lot of them, that’ll teach them a lesson.’ ‘Well son, you invited them to your tea party and no one came; then you gave them two weeks to give you all their medical records and none of them have; now how are you going to invoke reg 33 without getting served with a JR and I don’t think those doctors are going to help you; I mean why would they; the money’s good but they won’t want to be investigated under GDPR or even served with a JR. I expect they can earn the same money elsewhere without all the hassle that they get with doing police work.’ ‘What’s GWR got to do with anything mum, this is police work we’re talking about not an old railway company.’ ‘No son General Data Protection Regulations, they deal with data processing which you can’t do any more. You remember when you used to give the doctor all the medical files and tell the doctor what he had to do? Well, that’s called data processing and you can’t do it unless you have informed consent and I don’t think you are going to get that. It’s what the ICO is telling you about, Staffordshire Police don’t seem very good at it. Who deals with it? Don’t tell me it’s that Andrew again? Oh son……’

  • 2018-08-12 at 9:22 pm

    I think this is the tip of the iceberg. I don’t believe any of the UK forces comply with the DPA. Staffs clearly don’t, Northumbria don’t, and I agree it is time the ICO bit a few of these forces to force them into compliance. The arrogance of these two forces is incredible when it comes to complying with data protection laws. Only a matter of time before a huge fine by the ICO has all forces running to comply!!! Good move by ICO and I am sure more of these audits are required nationally.

  • 2018-08-12 at 9:15 pm

    This is as a result of the many complaints that have been forthcoming from ex police officers from Staffs police, If they now fail to implement the changes then the ICO will have no choice but to impose fines or other sanctions upon them. This is what the ICO are all about and that is making organisations adhere to the relevant legislation.
    This is a victory for everyone involved and this is what IODPA strive for, getting forces to do things right. One day they will get reviews right but that is a long way off.
    I only hope that Staffs can put the correct procedures in place and actually get it right. Only time will tell.
    They will of course use this as their defence to any complaints in that they have been audited and are in the process of amending policies and protocols.
    “ we apologies for mistakes made in the past and we have now been subjected to an ICO audit which has enabled us to correct our policies and protocols and therefore we will be in a better position to handle DATA issues in the future” this will be their get out clause for complaints.

  • 2018-08-12 at 9:07 pm

    I agree complaint to the ICO is necessary and correct in these circumstances, however the ICO needs to act and act positively and robustly when such breach’s are identified. Until these regulators actually start prosecuting and fining those who do not act in accordance with data protection nothing will change, the ball is in the court of the ICO to replace its dentures and bit the PPA’s were it hurts.

Comments are closed.