The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) has issued a reprimand to West Midlands Police (WMP) after the force repeatedly mixed up two people’s personal information.

On numerous occasions throughout 2020, 2021 and 2022, WMP incorrectly linked and merged the records of two people with the same name and date of birth. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime, a breach of the Data Protection Act 2018.

This mix-up led to inaccurate personal information being processed and resulted in a catalogue of errors, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child.

WMP didn’t take steps to rectify the error quickly enough and there was a failure to stop the inaccurate linking of records reoccurring, both breaches of data protection law.

The ICO also found that there was a lack of regular data protection training and not enough was done to make employees aware of their responsibilities to report any inaccurate personal information.

David Doodson, Civil Investigations Group Manager at the ICO said:

“It is essential that police forces handle personal information with the utmost respect to maintain people’s trust and confidence in the police. Sharing the same name and birthday as someone else should not mean your personal information is jeopardised, especially given the sensitive nature of the information held.

“This case highlights the importance of training to ensure officers understand data protection law to avoid mistakes like this occurring again.”

WMP has since introduced a new data quality policy and produced a “Think before you link” campaign to help ensure accuracy, both steps the ICO has welcomed.

Recommendations made by the ICO, full details can be found online:

  • Maintaining relevant records of its processing activities.
  • Taking appropriate action to distinguish the records of the two individuals and prevent further inaccurate linking and merging of records containing personal data.
  • Sharing learnings from security incidents across the organisation and reminding employees of relevant security policies.
  • Ensuring employees attend mandatory data protection training in line with WMP policies, including implementing an appropriate action plan to improve completion rates of refresher data protection training.
Notes to editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. The ICO's strategic priorities are set out in ICO25, which includes safeguarding and empowering people, particularly vulnerable groups who are exposed to the greatest risk of harm.
  5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.