The Association of Chief Police Officers (ACPO) is inviting members of the public to send data protection subject access requests over an insecure HTTP connection.
According to a blog by Jon Baines, chair of the National Association of Data Protection Officers (NADPO), as well as access requests, copies of proof of identity, such as passports or bank statements, are also requested to be sent over the HTTP connection.
“This is almost certainly in breach of ACPOs obligations under the Data Protection Act,” Baines said. “One of the most important rights under data protection law is that of ‘subject access’. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it.”
Pointing to a tweet by consultant Paul Moore highlighting the issue, Baines said that it is difficult to understand how it has happened. Baines said: “At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping.”
In an email to IT Security Guru, Baines said: “The first consideration when designing an online process for transferring highly sensitive personal data should be security, and the privacy of individuals.”
Altered to the issue, an ICO spokesperson said: “We are aware of this issue and are currently making enquiries.” Emails seeking a comment from the ACPO were not returned.
The post Police website asks for data protection requests over HTTP connection appeared first on IT Security Guru.