Police reprimand from Deputy Data Protection Ombudsman – police have initiated measures ordered
The Deputy Data Protection Ombudsman has reprimanded the police for a data security breach at the turn of 2019/2020 arising from the trial use of facial recognition technology to combat child sexual abuse. The ruling by the Deputy Data Protection Ombudsman also includes orders for follow-up measures to be taken by the police as controller.
The police take data protection seriously and take into account the rights of the data subject in all their operations.
“The police take the reprimand from the Deputy Data Protection Ombudsman seriously and will ensure that the measures ordered in the ruling are put in place. In addition, we will further develop our skills and procedures to ensure there will be no reoccurrence of anything similar going forward,” says Annina Hautala, Chief of Information Management at the National Police Board.
Background of data security breach detected in spring 2021
In spring 2021, the police discovered a suspected data security breach involving personal data. The police immediately took steps to investigate the suspected breach to minimise the harm caused to the data subject and to prevent similar anomalies.
The matter concerns a situation notified by the National Bureau of Investigation where personal data had been processed in the Clearview AI system at the National Bureau of Investigation for the purposes of testing the service. Testing was related to development tasks for which the National Bureau of Investigation is responsible to enhance combating online child sexual abuse. Neither the information security nor the compliance of the service with data protection legislation had been sufficiently ensured beforehand.
During the trial period, the software conducted around 120 searches with facial images of potential victims found on social media services. Four persons used the software during the month-long trial, after which the National Bureau of Investigation discontinued use of the service for data protection reasons on their own initiative. During the trial use, searches were made mostly using test data and according to the report obtained only two instances involved real images. The images contained no information that would offend sexual morality.
The National Police Board submitted a preliminary notification of the suspected breach to the Data Protection Ombudsman on 9 April 2021.
“The police want to be as open as possible and to this end the National Bureau of Investigation also published a press release about the matter on 9 April. The police continued to investigate the situation and a supplementary final report was submitted to the Data Protection Ombudsman as soon as a sufficiently comprehensive picture of the situation was received and the follow-up measures had been planned,” Hautala says.
The internal investigation carried out by the police revealed that for the same processing purpose, the National Bureau of Investigation had a few times tested another application related to identification of material linked to the sexual exploitation of children. Again, no information offending sexual morality was processed in this service.
Police given instructions on information security and data protection
The police have been given extensive written instructions on information security, personal data processing and the rights of data subjects. During 2020, also mandatory training on information security and personal data processing was provided for all police personnel. There was also training on the processing of biometric data.
“As a result of the incident, the National Police Board will reassess the need to update information security and data protection processes, guidelines and training. The National Board of Police will also take steps to ensure that there is sufficient awareness of the process for introducing new information systems and services and the procedures for operating accordingly across the police organisation,” Hautala says.