A Metropolitan Police officer has been dismissed after repeatedly accessing sensitive files related to the disappearance and murder of Sarah Everard while off-duty, prompting concern that legal requirements around police data access – which are due to be removed by the government’s data reforms – are not being followed.
Following the murder of Sarah Everard in March 2021 by serving Met Police officer Wayne Couzens, a dedicated taskforce of investigators from the Directorate of Professional Standards carried out an audit of those who had accessed files relating to her disappearance and the subsequent investigation, looking specifically at whether those who had accessed these files did so with a proper policing purpose.
The Met said a total of 104 officers and staff (68 officers and 36 staff) were initially identified as potentially accessing files relating to the investigation without a legitimate policing purpose, which resulted in seven officers being served with gross misconduct notices and appearing in front of a hearing.
While this led to one officer – a member of the Met’s Roads and Transport unit who accessed the information off-duty – being formally dismissed, others have received a mixture of written warnings and further training. In total, two-thirds of the cases required further action.
However, campaigners and privacy experts said these situations would be made more likely if the government’s Data Use and Access Bill (DUAB) passes, as it’s set to remove the police logging procedure that requires forces to keep records detailing how information is accessed and used.
This includes recording a justification for why an individual officer has accessed a particular piece of information, although according to the DUAB’s explanatory notes, officers and staff will still be legally expected to log the time, date and, “as far as possible”, their identity when accessing information.
“The Met investigated over 100 staff over the inappropriate accessing of information in relation to Sarah Everard,” said Jim Killock, executive director of the Open Rights Group. “This shows the police can and do act to access information inappropriately. This is likely the tip of the iceberg. There may be less prominent cases, where police abuse their power by accessing information without worry for the consequences.
“Against this, the government needs to explain why it wants to actively remove accountability measures for accessing public data while at the same time removing other safeguards and protections.
“We need more, not less, transparency and accountability over how, why and when the police access, process and share data about the public,” he said. “Reducing restrictions risks worsening existing tensions between police and the communities they claim to serve.”
Owen Sayers, an independent security consultant and advisor on police data protection compliance with more than 25 years of experience in delivering secure solutions to policing, added that the incident raises the question of who else is having their data accessed by off-duty officers.
“How do we know that access is controlled only to those who need to see our data?” he said. “Or is police data management literally the pile-on free-for-all it looks like from this case?”
Misconduct hearings and further action
While three of the seven officers were found to have accessed the information with a legitimate policing purpose, three others were not, leading to a dismissal for one of the officers (who accessed the data off-duty), and a final warning to last three years for another. The third would have been dismissed had they not already resigned.
The seventh serving officer will face a separate gross misconduct hearing on a date to be set. The Met added that another member of police staff previously faced a private gross misconduct hearing and was dismissed.
“Our officers and staff are regularly reminded that police systems and specific files must only be accessed where there is a legitimate policing purpose to do so,” said deputy assistant commissioner Stuart Cundy. “This includes reminder screens and warning pages when logging on to our software systems, as well as mandatory training on information management which must be completed by everyone within the organisation.
“It is clear the panel has carefully considered the circumstances of each individual case before coming to their conclusion that three officers had no acceptable reason for looking at this information.”
Cundy added that the majority of the 104 officers and staff who had inappropriately accessed information admitted they had done so out of curiosity.
In terms of those other cases, 10 officers and staff were issued written warnings, 16 were referred for “reflective practice”, and four received “no further action” following misconduct hearings, while a further 38 were referred for reflective practice without a hearing. No further action was taken against the remaining 28 officers and staff, with no requirement for them to attend a misconduct hearing.
“When spoken to, they were remorseful, apologised, admitted poor judgement and were keen to engage in training,” said Cundy. “All of this was taken into account when determining the most appropriate outcome for each individual. We know that honest mistakes can be made and the most serious outcomes relate to those who were deliberately evasive or tried to avoid accountability. Those actions are not compatible with the values of the Met.”
In response to Computer Weekly’s questions about the incident – including whether justifications were recorded by the officers and what these justifications were if so – a Met spokesperson said the specifics of the hearing outcomes will be available on its website once it has been reviewed.
Asked about whether the incident was referred to the Information Commissioner’s Office (ICO), the spokesperson added: “We assessed the risks posed and determined that the matter did not meet the criteria for a mandatory referral. However, we did inform them of the circumstances.
“On wider access – the Met has the ability to restrict files, but to deliver operational policing it is an important principle that police information can be appropriately accessed and used by police officers as part of their roles. Our policy is clear that if an employee does not have a lawful or genuine policing purpose to view data, then they should not view it.”
Computer Weekly also contacted the Home Office about the removal of logging requirements under the DUAB, and whether it would reconsider this approach given the number of officers and staff that accessed the files, even when there are rules in place.
“The Data Use and Access Bill aims to remove the ineffective requirement for police officers to record a justification for accessing or disclosing personal data,” said a Home Office spokesperson. “Officers that access or disclose data will still need to have a legitimate law enforcement reason to do so.”
The DUAB explanatory notes added the requirement to record a justification is being removed because “it is unlikely that a person accessing records inappropriately would record an honest justification”.
Responding to questions about the incident, a spokesperson for the ICO said: “We are pleased that the section 62 logging requirement is being retained as we recognise the value and importance of being able to determine the date, time and identity of those accessing information when monitoring potential misconduct or abuse.
“The decision to remove the justification requirement on the basis that there is little evidence of its effectiveness is ultimately a matter for government, and we welcome parliamentary scrutiny of this proposal. We’ll continue to work with law enforcement organisations to help them understand the changes to the Data Protection Act 2018 through the reforms.”
Liberal Democrat peer Lord Clement-Jones previously told Computer Weekly that the removal of police logging requirements was “egregious”, and it represents a potential divergence from the European Union’s Law Enforcement Directive (LED) that could prevent the UK from renewing its LED data adequacy decision.
The LED said: “The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data.”