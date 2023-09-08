A decision by the Police Ombudsman’s office to retain “highly personal information” about employees has been branded a “very disturbing and puzzling” situation.

The BBC’s Nolan Show has revealed that the Police Ombudsman’s office was storing “huge amounts of highly personal information on its employees without the knowledge of the Ombudsman (Mrs Marie Anderson) herself”.

The show reported that when staff applied for jobs at the Ombudsman they were required to answer questions in relation to “highly sensitive information” about themselves such as the “type of pornography they watched” and “how often they have sex”.

Rather than destroying the information after someone did or did not get a job, Mr Nolan reported the Ombudsman’s office drew up a rule to “keep this data in a cabinet in the Ombudsman’s office until their employees reached the age of 72”.

A memorandum of understanding was said to have been drawn up with the official government vetting service.

However, once the Ombudsman herself found out what was happening, procedures were changed and some information was destroyed that they had intended to keep.

The Information Commissioner is reported to be investigating the matter after a complaint was lodged.

Data protection expert Martin Rosenbaum described it as a “very disturbing and puzzling situation”.

He told the Nolan Show: “It’s not at all clear why the Ombudsman’s office should have been hanging on to this information under these circumstances.

“As you said, this is extremely sensitive information, it’s the information that people provide when they’re undergoing various levels of security vetting.

“The point is to make sure they’re not subject to blackmail or bribery or other pressures, so they’ve got to confess everything about their lives really.”

He added: “This is not only information about themselves, it’s information about their families, about close friends, about people who they lived in the same house as, all this kind of thing.

“So it’s very sensitive information about an awful lot of people and it’s completely unclear what rationale there could have been for the Ombudsman’s office to hold on to this information.

“The point here is that the more copies of any information that’s held, inevitably you increase the risk that it’s disclosed inadvertently or maliciously for that matter.”

He cited the “terrible consequences” of the PSNI data breach as an example of what can happen and as a lesson to all organisations of how information can be released accidentally.

To reduce the risk, Mr Rosenbaum explained, organisations should not hold duplicate copies of information stored elsewhere as this material was still retained by the UK security vetting organisation which has “top level processes” to keep security information secret.

The Police Ombudsman’s said it takes the protection of personal information seriously, given that in order to conduct sensitive enquiries and investigations, many of her staff must have the highest level of security clearance.

“The Office is the decision-maker in respect of vetting of individuals and therefore receives vetting information from United Kingdom Security Vetting (UKSV) in order to make the final vetting decision,” a statement added.

“Vetting information has been held in line with the Office’s published Retention and Disposal Schedule and its Memorandum of Understanding (MoU) with the UKSV.

“Vetting information has been held securely within the office premises, with access restricted to three designated people with specific responsibility for vetting matters (please note that none of these are HR staff and HR staff do not have access to vetting records).”

Furthermore, the Ombudsman said no vetting information has been disseminated inappropriately either internally or externally.

The Information Commissioners Office (ICO) has not instructed the Office to destroy record, a statement continued.

“As part of its review of the retention of vetting information, the Office engaged with and sought advice from UKSV, the Public Records Office of Northern Ireland (PRONI) and the ICO.

“Subsequent to that engagement with the ICO, the Office amended its retention arrangements, undertook a Data Protection Impact Assessment (DPIA) and published an amended Retention and Disposal Schedule.

“The Office has also invited the ICO to audit our processes. Our staff have been kept fully informed.”

A follow-up statement said the Ombudsman understands that the ICO has received a complaint in respect of the retention of vetting information and it would, therefore, be inappropriate for the Police Ombudsman to comment further at this time.