Contacting the ICO to admit a data breach ?

[Unencrypted]

I need advise about next steps for a professional who has sent copies of client notes to the Police following an official request signed by a Detective Inspector.

The professional works for themself, and mistakenly thought they had to comply so in good faith acted quickly. The police paperwork said their client must not be contacted for consent as it would comprise the police investigation.

Since then they have been very worried their actions may be data breach and been trying to find a solicitor without success. They have also told the police they want to withdraw the data they sent, but the police have refused.

I have suggested they contact the ICO helpline for advise - they are scared they have left it too late (it's been nearly 2 weeks).

To their benefit, they have tried to contain the breach (emailed the police) and the police cannot do anything with the data as they didn't fill out the paperwork that gave permission to do this.

Has anyone contacted the ICO in circumstances like this, and can they give any advice around what to expect?

Does this individual have any kind of professional insurance? They should speak to them now, before they do anything else.

They have professional insurance who said they shouldn't have shared the data unless there had been a court order or subpoena. They didn't advise further.

They are also members of 2 professional bodies- both of which have said they can't advise/help.

If relevant, the police requested the data under what seems to be a new relatively new line of enquiry in terms of them asking for information from this professional (psychotherapy and counselling) in the very early stages of investigation (ahead of deciding whether to charge).

Honestly the chances of the ICO doing anything are minuscule. I've been involved in a few big data breaches and other than asking some questions, ICO did nothing.

In some cases Police can compel the disclosure of data - are you sure this wasn't one of those? If not what the disclosed needs to do is notify the data subject of the disclosure.

They did tell their insurance provider that they are looking for a solicitor. The insurance company seemed to indicate that this was the right thing to do. But they have tried many firms and all are saying they cannot advise or are not getting back in contact.

@ZoeyBartlett thanks - this is what I think (based on my work in the public sector) but the individual is very worried.

They spent over 10 years and their life savings training in their profession (which they are now very established in) and fear losing this.

I think they may be further worried because it is for the purpose of
the police making a decision of whether to charge their former client for a serious crime.

@ZoeyBartlett to add the police have explicitly said the subject cannot be contacted as it would compromise the police investigation.

They added when the professional asked for the data to be withdrawn (as the subject hasn't consented) that the subject's right to be consent is trumped by the fact they are a suspect.

On the ICO website there is a section about disclosures to the police. It seems it is lawful if it meets a certain criteria. Has your friend checked this?

The websites gives the criteria as:

Data protection legislation defines law enforcement purposes as “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.”

Why don't they just ring the ICO to discuss? The staff on their helpline are really helpful. You don't have to give details when you speak to them so you can have a discussion and then decide how to action the advice.
I would suggest having the conversation with the ICO sooner rather than later. Data breaches should be reported in 72 hours. Your friend doesn't want to compound the issue by failing to report.

was this definitely a legitimate request from the actual police? sounds dodge

@Kangarude and @roselilylavender - these are helpful - thank you.

I am not quite sure it meets the law enforcement threshold - but the police think it does.

And really helpful to know the ICO don't instantly trace the call and send a team of auditors round (I know this sounds silly, but I think is the type of fear the professional has).

@EauNeu 100% real. I sometimes work with the police force in question and am somewhat shocked by the officer's tone in emails, very blunt and causing my friend more worry

I will help them call the ICO on Monday morning.

The ICO has a toolkit that allows them to determine whether to share information with the police. They should really have checked before sharing, but they can use it now to see if this is a breach. You can find the toolkit at Stage one - Can I share personal data with a law enforcement authority? | ICO.

Is the assumption that you must always have consent to disclose personal information?

If so, that's not correct - consent is ONE of the lawful purposes and generally weakest as it can be withdrawn, however assisting the police is a lawful basis. As long as you have taken steps to verify identify of requestor.

ICO are concerned with flagrant breaches of personal data. It's helpful to review the ICO "action we have taken" which indicates circumstances that have lead to prosecution.

@prh47bridge yes they should have checked that link, as the ICO tool was mentioned in the police's cover letter - but they sadly didn't and instead got on and sent the info over right away as there was a red sheet signed by a detective inspector with a warrant number.

They now want to do some training in GDRP to help them in the future - and plan to ask the ICO Helpline if they have any recommendations on what level and type of training to do when they call them tomorrow.

Thank you @Pleasealexa - I didn't know about the "action we have taken" info on the ICO website and will pass that on now.

I would add they are usually really careful, e.g. client notes are never written in public spaces, only use client initials and are stored in a locked box then destroyed after 6 years etc.

In this case, they just saw "police" and "warrant" and rushed to comply!