The Association of Chief Police Officers (ACPO) is inviting members of the public to send data protection subject access requests over an insecure HTTP connection.
According to a blog by Jon Baines, chair of the National Association of Data Protection Officers (NADPO), as well as access requests, copies of proof of identity, such as passports or bank statements, are also requested to be sent over the HTTP connection.
“This is almost certainly in breach of ACPOs obligations under the Data Protection Act,” Baines said. “One of the most important rights under data protection law is that of ‘subject access’. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it.”
Pointing to a tweet by consultant Paul Moore highlighting the issue, Baines said that it is difficult to understand how it has happened. Baines said: “At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping.”
In an email to IT Security Guru, Baines said: “The first consideration when designing an online process for transferring highly sensitive personal data should be security, and the privacy of individuals.”
Altered to the issue, an ICO spokesperson said: “We are aware of this issue and are currently making enquiries.”
UPDATE – Ian Readhead, the National Policing Lead for Data Protection and Freedom of Information, said: “The ACPO Criminal Records Office (ACRO) became aware of the situation concerning the provision of personal data over a HTTP rather than a encrypted HTTPS connection on Tuesday February 24th. This was caused by a contractual oversight. The Information Commissioner was immediately advised. The secure HTTPS connection was restored on February 25th. We apologise for this matter.”