Man prosecuted and police force given undertaking after sensitive data leak on Twitter
A Kent man who posted sensitive police information on Twitter has appeared in court after he admitted breaking the Data Protection Act.
William Godfrey, 30, of Bull Lane, Bethersden, had previously been in a relationship with a probationary officer, and came into possession of a USB stick containing the data. In July 2016, he tweeted the name and address of a vulnerable adult, along with details of their health and sexual life, to the accounts of the Information Commissioner’s Office (ICO), the Independent Police Complaints Commission and Surrey Police.
That same day, he emailed the ICO threatening to publish a 40-page document containing personal data, which included the details of a victim of a sexual offence, and became involved in a Twitter exchange with an independent user who saw his tweet and warned him that he was breaking the law.
It later emerged that a separate account, operated by Godfrey, had tweeted Surrey Police two days earlier, disclosing the details of one named individual and the fact that they had been searched by police in relation to an offence.
The ICO contacted him to ask him not to publish the material. Godfrey later failed to attend a meeting to hand over the USB stick and Surrey Police eventually had to take out an injunction to retrieve it.
Godfrey admitted two offences of unlawfully disclosing personal data in breach of s55 of the Data Protection Act when he appeared at Maidstone Crown Court, on Wednesday 17 January 2018.
He was sentenced to a 12-month conditional discharge, in part because he had been placed on stringent bail conditions, including a curfew and an electronic tag, before the hearing. He was also ordered to pay £150 costs and a £15 victim surcharge.
ICO Head of Enforcement Steve Eckersley said:
“People should always be careful about what they share on social media, both about themselves and others. But when it’s sensitive and confidential personal information that they have no right to see or possess in the first place, then we will not hesitate to take action to protect people’s rights.
”Surrey Police has also signed an undertaking to improve its procedures as a result of this case, and we are satisfied that many of our recommendations have already been taken on board.”
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a civil monetary penalty on a data controller of up to £500,000. Criminal prosecutions under s55 of the Data Protection Act can attract an unlimited fine.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to org.uk/concerns/