Report of the Interception of Communications Commissioner - March 2015
7.105 It is crucial for such systems to be sufficiently tested prior to implementation and
for quality assurance checks to be conducted regularly to ensure that any such systems
are functioning effectively, particularly because one technical system error can have far
wider consequences than one human error. Whenever such a system error is reported
to my office an inspector is allocated to investigate the error instance thoroughly to
determine the cause of the error, the extent of its impact and ensure that sufficient steps
are taken to prevent recurrence. These investigations can take some time.
7.106 In the last reporting year I outlined that my office was in the process of investigating
one such CSP system error which had resulted in incorrect data being disclosed to a large
number of public authorities. This investigation is now complete and I can report that
it was caused by a technical fault relating to the migration of subscriber records. The
error resulted in the incorrect subscriber data being disclosed to a number of public
authorities in relation to 361 data requests. Each one was followed up by my office and
it was determined that in 5 cases individuals who were unconnected to the particular
investigation being undertaken were visited by police. The individuals were all quickly
eliminated from the police forces’ inquiries and it was extremely fortunate that in the
remaining 356 cases there was no significant impact as the police did not take any action
on the incorrect disclosures. The incorrect data was destroyed in line with paragraph 6.21
of the code of practice as it had no relevance to the investigations being undertaken.
This is an example of how one technical system error can have multiple and significant
consequences.
7.107 In 2014 a further 12 technical errors were reported to my office (10 CSP and
2 police force / law enforcement agency). These 12 technical errors resulted in 1399
consequences. These have been, or are in the process of being investigated by my office.
These investigations can take considerable time as each error has to be followed up
with the public authorities affected by the disclosures to ascertain the significance of
the consequences. In some of these cases the disclosure systems or parts thereof have
been deactivated until the technical malfunction has been resolved. In addition to those
significant technical errors, 9 human errors with very serious consequences were also
reported to my office in 2014. Whilst every error is regrettable, the impact of most
errors is limited in the sense that the error is quickly identified and the erroneous data
destroyed, without any action being taken upon it. However, there are occasions where
this is not the case and a public authority takes action against the wrong individual.
7.108 These 21 errors (12 technical and 9 human) resulted in action being taken against
the wrong individual (for example, an innocent individual’s address being visited by
officers, or a warrant being executed at the wrong address) in 12 instances; and on 4
occasions caused a delay in the police conducting welfare checks on a person in crisis.
Some of these errors occurred in relation to the resolution of Internet Protocol addresses
and the consequences of these are particularly acute. An IP address is often the only line
of enquiry in a child protection case, and it may be difficult for the police to corroborate
the information before taking some form of action against the individual identified. Any
police action taken erroneously in such cases, such as the search of an innocent individuals
house, can have a devastating impact on the individual concerned. These errors are
extremely regrettable and it is fortunate that errors with such severe consequences are
72
@iocco_oversight