Privacy Daily is a service of Warren Communications News.
Subscriber Login

UK Information Office Slams Police Force for Sloppy Handling of Video Evidence

August 18, 2025 |Europe

The South Yorkshire Police's failure to retain nearly 100,000 pieces of body-worn video evidence showed the force lacked appropriate technical and organizational measures to keep the data secure, the U.K. Information Commissioner's Office (ICO) said Monday in reprimanding the police.

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

Start My Free Preview

The police deleted more than 960,000 pieces of video evidence on July 26, 2023, and discovered it the next month, ICO said.

Before the deletion, more than 95,000 pieces of footage were copied to a new IT system, "but, due to poor record-keeping, the force is still unable to confirm the exact number of files deleted without copies being made," the watchdog said. The evidence lost related to 126 criminal cases, though "only three of the cases were impacted by the loss."

In addition, ICO found that the force had delayed developing IT backup policies and failed to report to senior management when flaws were discovered in 2019. Moreover, poor record-keeping meant the force couldn't confirm how many pieces of footage were permanently lost, nor could it identify the security risk involved in transferring personal data between IT systems.

The ICO recommended that South Yorkshire Police ensure adequate storage backup and processes for restoring lost body-worn video footage. The force should continue to shadow third parties when they access their IT systems, and define the roles and responsibilities of third parties when they process personal information held on police IT systems, the ICO said.

It also recommended that the force complete a risk assessment to determine security implications and control requirements before allowing third-party access to its IT systems, and ensure that all records are marked clearly and identifiably.