James Cooper, (8906), the Information Rights Manager of Bedfordshire, (also Hertfordshire and Cambridgeshire) police is subject to a formal police complaint for attempting to cover up a reported data breach, contrary to the Data Protection Act 2018. (DPA)
The person had made a SAR only after discovering a recent abuse of their personal data within local police. The SAR was to ascertain the cause of the prior data breach, not expecting it to become another breach.
Within the SAR, the person made it clear that the purpose of the SAR was to gain copies of their personal data, under the Right of Access, and that, once completed, the personal details within the SAR was to be deleted.
For reasons yet to be ascertained and for no apparent lawful reason, the Data Controller (Data Compliance Team) went on to notify DC Neil Patrick that the person had made a SAR.
For the record, DC Neil Patrick is completely unrelated to the Data Compliance Team.
So far, the Data Controller has refusing to divulge how DC Neil Patrick was notified of the SAR or for what reason he was notified.
The act of making a SAR is in itself confidential and should also be treated by the DAta Controller as ‘personal data‘ and protected under the DPA.
DC Neil Patrick has admitted that he was aware that the person had made a SAR but he has also failed to elaborate how, or why he was made aware?
DC Neil Patrick then went on to gain a copy of the person’s personal data (email address), which was supplied for the purpose of a SAR only.
DC Neil Patrick then ‘solicited‘ the person for what is believed to be unethical reasons. Reasons that James Cooper defends as in the public interest, or with the authority of the data controller.
The data breach was reported to the Data Controller, who responded with the following;
Thank you for your emails, please accept my apology for the delay in getting back to you.
You have asked why your email address was shared with DC Neil Patrick. I can confirm that your email was provided to DC Neil Patrick as he needed to ask you whether you would be willing to provide a statement to Police.
The lawful basis for the Data Protection Unit sharing your email address is Article 6 (1) DPA 2018, Article 6 (1) gives a lawful basis for processing where ;
‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
This can apply if you are carrying out a specific task in the public interest which is laid down by law or you are exercising official authority – for example a public body’s tasks, functions, duties or powers, which is laid down by law.
I do not therefore agree that you personal data has been breached.
I hope this assists you.
Information Rights Supervisor (Beds, Cambs & Herts)
A review of this decision was requested by the person as there was evidently no public interest. DC Neil Patrick was fishing for information, information he knew who not be forthcoming, nevertheless, the issues raised is, how did DC Neil Patrick become aware that the person had made a SAR in the first place to allow him to seek the email address?
I reject your response and seek further clarification and an urgent review your decision.
I made a subject access request (SAR) to Bedfordshire police. I did this to receive copies of my personal data, held by police.
My request was for this purpose only, and I had an expectation of privacy in making such a request. My SAR or any information relating to it should not be disclosed to any other person.
All personal information that I provided to you in making this request was also for this purpose only. This included my name, email address and drivers license. I went so far as to emphasise my concerns of data privacy by seeking the immediate deletion of my ID as soon as it had been verified. This was not done and has still not been confirmed to have been done.
When making an SAR, this in itself became my personal data as I was required to submit further personal data to make that request. The SAR therefore is personal and private and subject to GDPR.
DC Neil Patrick stated he got my personal details as I had made a SAR.
At no time should DC Neil Patrick have even been made aware of my SAR.
DC Neil Patrick may well have wanted to contact me over another unrelated matter. This is none of your concern. What is of concern is, how he came to the knowledge that I had made a SAR in the first place.
How did this information (my SAR) become known to DC Patrick? This knowledge led to him seeking my personal information (email address) from your department (that you had previously disclosed) and allowed him to solicit me for a statement?
Please provide the full circumstances (with supporting evidence) of how DC Patrick first became aware of my SAR, who notified him, how he was notified and for what purpose he was notified. Please also tell me who else was notified.
It is most certainly not a public interest matter, asking me ‘if’ I will give a statement (for a non-offence). On the contrary, DC Neil Patrick was already unlawfully aware that I had made an SAR.
For it to be considered in the ‘public interest’, an investigation must first gather evidence to see if any offence is made out under part one of CPS two-part test, this being the evidential stage. Only if there is evidence does the CPS consider the 2nd test, the ‘public interest test’. As it stands, police a desperately trying to satisfy the evidential stage and as I understand it, have no evidence of an offence. I am aware that the CPS have failed to give charging permission, meaning the evidential stand has not been met and therefore, there is no public interest to be considered.
Furthermore, DC Neil Patrick was aware I was acting for Ms ******* (his alleged suspect) as her legal friend (McKenzie friend), and also that I was a primary witness for Ms *******. This shows that it was never even part of the public interest test as I am already involved in the same proceedings, my statement would be for Ms ******s defence and the police knew I was not or would never be a police witness in this matter.
For the benefit of this email and the ICO, I will state that I have made a data breach allegation already to Bedfordshire police, that my personal details were noted on Ms ******* bail conditions. This was a use of my personal data without my knowledge or permission. The conditions falsely inferred I was a police witness. I was not and never was. This clearly shows that DC Patrick has confirmed (by seeking a statement), that the police knew I was not a police witness and that the false uses of my personal date to infer I was a police witness, is a misuse of my personal data.
Furthermore, I believe DC Neil Patrick has retrospectively sought my consent to be a police witness (via seeking my personal data from the Data Protection team), solely for the purpose of trying to justify the abuse of my personal details on the bail conditions. If I had responded to DC Patrick, agreeing to providing a statement to CPS (which I have not), then I would be have been confirming I was a police witness, therefore police appear to be attempting to justify the abuse of my personal data, retrospectively by seeking me as a witness, after they gave unlawful bail conditions to Ms ****** inferring they were because I was a witness.
I had a reasonable expectation of privacy when I sent my personal details to you, solely for the purpose to get copies of my personal data. I had no knowledge or gave no permission for you to pass this on to any other persons, for any other reason. In fact, my SAR clearly seeks the deletion of my identity that you disclosed.
It is evident that, prior to the disclosure of my personal information to DC Neil Patrick, the Data Protection dept must have disclosed to DC Neil Patrick that I had made a SAR, this alone is a breach of my personal data, as notifying him I had made a SAR is an unnecessary and unlawful disclosure.
Please can I ask for a response within a reasonable time frame, may I suggest my Wednesday 13th October 2021. IF I have not received a response, I will report the lack of response to the ICO and will pursue legal proceedings against Bedfordshire constabulary.
May questions were put to the Data Controller, especially how DC Neil Patrick even became aware of the SAR. The response to the review request came from James Cooper, (8906), the Information Rights Manager of Bedfordshire
As the manager of Information Rights I have reviewed the below accordingly and have reached the same conclusion as my team have and therefore uphold the original response that we as a department do not consider this to have been a breach of your data with the lawful basis being detailed below in your original response.
If you are not content with the outcome of your complaint, you may apply directly to the Information Commissioner for a decision. For information on how to make a complaint please visit their website at https://ico.org.uk/concerns/ or contact them on 0303 123 1113.
James Cooper (Cambs)
Information Rights Manager
James Cooper, (8906) failed to answer any of the important questions, simply that he reached the same conclusion. James Cooper seemingly trying to ‘make this data breach go away’. We wonder if Karen Kenedy (the initial decision-maker) will get a ‘Jim Fixed It For Me” badge.
James Cooper has now been asked to confirm some details;
For the purpose of the ICO data breach report, please confirm which formed the necessity to share my personal data under the DPA, was it 1 or 2?
“Processing is necessary..
for the performance of a task carried out in the public interest; or
in the exercise of official authority vested in the controller”
So far, the Information Rights Manager of Bedfordshire, James Cooper (8906) has failed to respond.
The data breach has been reported to the ICO.