Three UK police forces have apologised to over 1,000 staff after their personal details were sent to security services provider G4S during IT and back-office outsourcing negotiations.
Bedfordshire Police, Cambridgeshire Constabulary and Hertfordshire Constabulary notified the Information Commissioner's Office in February when they identified the data breach.
"The data security breach occurred as the three forces were developing an outline business case regarding the potential outsourcing of the three forces’ support functions to G4S, via a framework already in existence with Lincolnshire Police," the three police forces said in a joint statement.
Five files were sent electronically which contained personal information about staff from the three forces which was over and above what was required to be sent to G4S, breaching the Data Protection Act 1998.
"Once the breach was identified, G4S appointed an Information Assurance Professional to ensure that all information relating to the personal data was deleted from their hard drives and records, and that no hard copies existed."
The police forces have accepted that the sharing personal employee data was not appropriate, but pointed to a non-disclosure agreement with G4S which meant no data would ever have left its hands.
"“I wrote to the members of staff affected by this data security breach in February explaining what had occurred and apologising to them," said deputy chief constable John Feavyour, senior information risk officer for the three forces.
"G4S responded extremely promptly and professionally when this matter was raised with them, ensuring that all personal data was deleted from their hard drives and records.”
The ICO has said that it will investigate the incident. A recent investigation by law firm Field Fisher Waterhouse found that 80% of fines the ICO issued in 2012 were for organisations that reported themselves to the data watchdog.
Talks between the three forces and G4S collapsed in January this year. The police forces had hoped to save £73 million by outsourcing over 1,000 roles to the company, including IT, finance and HR.
In February last year, G4S won a £200 million, ten-year contract with Lincolnshire Police to provide outsourced services, with a projected of £28 million.
The hope had been that other police forces would also use the Lincolnshire's shared service. However, Hertfordshire Police and Crime Commissioner David Lloyd said in January this yet that "it is now clear that the G4S framework contract through Lincolnshire Police was not suitable for the unique position of the three forces".
"I am already in discussion with other market providers and will continue to talk with G4S about how they can assist policing support services in Hertfordshire," he said. "My clear position is that all elements of support work will be considered for outsourcing or other use of the market."
One controversial component of Lincolnshire Police's outsourcing deal with G4S was the plan to set up a private, "high tech" police station, which would include custodial cells. That plan was put on hold in September last year.