Updated 15th August 2023: New information added around a second data breach by Suffolk and Norfolk Police forces.
Suffolk police force has suffered two data breaches in under a year, affecting the personal data of victims and witnesses. The first Suffolk Police data breach occurred in November 2022, when it was discovered that Suffolk Police had accidently published the names and addresses of victims of sexual assault on its website.
The second Suffolk Police data breach, which happened in conjunction with Norfolk police force, occurred in August 2023, when the personal information of 1,230 people, including victims of crimes and witnesses, as attached to responses to Freedom of Information (FOI) requests for crime statistics due to a “technical issue”.
In this article, we’ll run through the details of each of the Suffolk Police force data breaches, providing information on who was affected and what data was breached. We’ll also outline what steps you can take if your personal information was breached as part of the Suffolk Police data breach or Suffolk and Norfolk Police data breach.
Details of the first Suffolk Police data breach, November 2022
In November 2022, Suffolk Police suffered a data breach resulting in the personal information of sexual assault victims being posted on the force’s website. According to the East Anglian Daily Times, hundreds of people may have been affected by the breach.
Suffolk Police force has claimed that “the matter was quickly resolved” and launched an investigation into how it took place, while the force’s commissioner, Tim Passmore, issued an “unreserved apology” for the breach. The Information Commissioner’s Office (ICO) has confirmed that it has received an incident report from Suffolk Police and is assessing the information.
While all data breaches are serious and can have a profound impact on those affected, this was a particularly troubling case that focused on highly sensitive information. In a statement, the support organisation Suffolk Rape Crisis noted that “survivors of sexual violence who have reported to the police are entitled to lifetime anonymity”. They further stressed that the breach “could put women at threat of further violence”.
Details of the Suffolk and Norfolk Police data breach, August 2023
In August 2023, it was reported that Suffolk and Norfolk police had suffered a data breach affecting the data of 1,230 people. This happened when personal information of victims, witnesses and suspects was attached to responses to Freedom of Information (FOI) requests for crime statistics issued by the two forces between April 2021 and March 2022. They said the information was attached due to a “technical issue” and that the data was hidden from anyone opening the files.
The Suffolk Police force released a press notice on their website regarding the data breach. In this, they state the data impacted in this breach “was information held on a specific police system and related to crime reports.” The data included personal identifiable information on victims, witnesses and suspects, as well as descriptions of offences. These offences included domestic incidents, sexual offences, assaults, theft and hate crime.
They went on to say that they’d conducted a full and thorough analysis of the data impacted and that they have started the process of contacting individuals whose data was affected. They say they will contact these individuals “by letter, phone, and in some cases, face-to-face depending on what information was impacted and the support required.” They expect this process will be completed by the end of September.
Suffolk police state that “strenuous efforts have been made to determine if the data released was accessed by anyone outside of policing” and that they have found “nothing to suggest this is the case.” The data would not have been “immediately obvious” to anyone who received the FOI response and they would have “needed to know how to access the information” to be able to view it.
The Information Commissioners Office (ICO) has been notified of the breach. They said they are investigating the matter.
Stephen Bonner, deputy commissioner at the ICO, said: “The potential impact of a breach like this reminds us that data protection is about people.
“It’s too soon to say what our investigation will find, but this breach – and all breaches – highlights just how important it is to have robust measures in place to protect personal information, especially when that data is so sensitive.”
The forces have apologised for the breaches. Temporary Assistant Chief Constable of Suffolk Police, Eamonn Bridger, who led the investigation on behalf of the two forces, said: “We would like to apologise that this incident occurred, and we sincerely regret any concern that it may have caused people of Norfolk or Suffolk.”
This is little comfort to the victims who have suffered as part of this or the previous Suffolk Police data breach. Under law, victims of sexual offences should have lifelong anonymity and this breach breaks that law, potentially jeopardising hundreds of victims.
These incidents highlights just how vital it is that the police take their data protection responsibilities seriously. The kinds of data that the police force will hold are extremely sensitive, and the exposure of this data can have serious, life-changing consequences for those affected.
Thankfully, there are sources of support for those who have been impacted by a data breach. This includes seeking compensation from the organisation responsible. In this post, we’ll look at the regulations governing data breaches in the UK and explain how those affected by data breaches can get the compensation they deserve.
The UK’s data protection regulations
The first Suffolk Police data breach was first reported on 15th November, with the force stressing that the data was available for only “a short period of time” before being “quickly removed”. Nevertheless, the specifics of the breach are shocking. The information exposed by the breach is alleged to include the names, addresses, and dates of birth of sexual assault victims, as well as details of the alleged offences.
The second breach, involving Suffolk and Norfolk Police, was reported on 15th August 2023, with the force stating the data was “hidden from anyone opening the files” and that it would not having been “immediately obvious” to anyone who had received the Freedom of Information Response. However, the information in the files supposedly includes personally identifiable information about victims, witnesses and suspects, as well as descriptions of offences.
The potential consequences of such information being made public are deeply concerning. The risk posed to victims is significant, and even the simple fact of having this kind of information exposed can be traumatic.
In response to the first breach, Suffolk Police stressed their commitment to safeguarding people’s data, noting: “We take our obligations under the Data Protection Act very seriously.”
However, it seems this may not be the case, as they suffered a second breach in under a year.
Data protection obligations are substantial. The Data Protection Act (DPA) 2018, alongside the UK General Data Protection Regulation (GDPR), sets out the responsibilities that organisations processing personal data must fulfil.
The regulations centre on six key principles that organisations must adhere to, including the principle of “integrity and confidentiality”, otherwise known as the security principle. This principle stresses that organisations holding personal data must put measures in place to keep this data secure.
There is a specific section of the DPA 2018 that covers the requirements for law enforcement authorities, who understandably face their own unique challenges when it comes to safeguarding personal data.
The ICO is at pains to stress that the kind of data exposed in the Suffolk Police breach merits special consideration. In their public guidance, they state: “information about victims or witnesses is likely to be sensitive or high risk, and you should take particular care when processing it. […] Processing such sensitive data creates significant risks to the privacy and wellbeing of the individuals concerned.”
The Suffolk Police data breaches offer a clear example of these risks. Exposing victims’ and witnesses information in this manner could pose an immediate risk to their safety, as well as having a broader impact on their health and well-being.
The right to seek compensation for a data breach
The GDPR not only sets out the principles that data processors must abide by, but it also enshrines the right to claim compensation if you have been affected by a data protection breach. This compensation is intended to support those who have suffered material or non–material damage as a result of a data breach. Relevant forms of damage can include:
- Reputational damage
- Loss of earnings
- Identity theft
If you have experienced any or all of these consequences as a result of an organisation mishandling your data, it’s important to consider pursuing a compensation claim. While compensation won’t undo the damage caused by a data breach, it can go some way to helping you move on from the incident.
Those who have been affected by the Suffolk Police data breach should have been contacted directly by the force, as this is a key requirement under the DPA 2018. Victims of the Suffolk and Norfolk Police data breach should also be contacted as soon as possible. If you have been contacted, you may wish to pursue compensation, particularly if your well-being has been affected by the incident.
HNK can support your data breach compensation claim
While not all data breaches are as severe as these recent incidents, any loss of control over your personal information can have damaging consequences. However, without expert help it can be difficult to know if you might have a valid claim and what further steps you should take.
If you are considering a data breach compensation claim, it’s important to consult a solicitor with experience in this area. The UK’s data protection regulations are complex, and seeking expert legal support can help to ensure you get the compensation you deserve.
As our case studies show, HNK Solicitors have a proven track record of helping victims of data breaches successfully claim compensation. We offer free, no-obligation consultations to help you decide if you may be entitled to compensation. If we do think you have a valid claim, we can help you to pursue it on a no-win, no-fee basis. To find out how we can help you, fill out the contact form on our website or call us on 0151 668 0812.
To find out more about making a claim against Suffolk Police, visit our Suffolk Police data breach claims page.