158
Investigatory Powers Commissioner’s Annual Report 2019
Error Investigation 11
Telecommunications Operator (TO)
Human or Technical:
Technical
Classification:
Shortfall Data
Data Acquired:
Wi-Fi session data
Description:
A system fault led to the disclosure of inaccurate internet session
data records relating to devices attached to public Wi-Fi. The fault
was identified by the TO after a short period, during which several
disclosures had been made in relation to authorised communications
data requests. Once the fault had been fixed, the TO re-ran the data
requests and confirmed that 78 had been responded to with incorrect
data. The relevant forces were informed immediately.
The fault led to the following inaccuracies;
i. incorrect data records were disclosed (4)
ii. results were returned which included partially correct data, but
included under or over disclosure of relevant data (36)
iii. unfortunately, in the largest bracket, any inaccuracy is unknown.
Data protection provisions mean that data is deleted by TOs after
12 months. In the remainder of cases, the data had automatically
been deleted before the TO could re-run and verify the data.
Session data alone was unlikely to identify an individual. Where the data
was still available (under 12 months old) the public authorities were able
to request the correct data set and 29 re-runs were requested.
Consequence:
The disclosures under i) and ii) did not result in the identification of
a suspect. With no comparison possible under iii) no further action
was taken.
Error Investigation 12
Telecommunications Operator (TO)
Human or Technical:
Technical
Classification:
No Data (during a defined period)
Data Acquired:
Subscriber and call data records
Description:
A system fault prevented a TO’s portal from providing subscriber details
and call data records covering a 6-day period for routine requests. The
TO immediately informed the police of this issue and provided the
results of urgent requests manually. This meant that the TO was only
able to provide data linked to life at immediate risk.
A total of 998 requests were identified as having sought data from
within the affected six days. The data for each was rerun and made
available to the requesting authority within five days.
Consequence:
There was no impact from this delay in providing data.