RGP investigates data breach involving contact details of hundreds of officers

The Royal Gibraltar Police has tightened its data protection policies after a list containing personal details of hundreds of police officers was mistakenly “left behind” when a Neighbourhood Police office in Glacis Estate was closed in 2018, only to emerge two years later during the search of a property in a drugs investigation.

The list, which dated to around 2013, contained the phone numbers of serving and retired officers along with a few dates of birth but no other personal details.

It also contained phone numbers of some RGP support staff and of some individuals from the Glacis Estate Tenants Association.

Police said details of around 400 people were on the list.

There were also several briefing notes from New Mole House which included details of certain calls made to police, the RGP confirmed.

The data breach was discovered on October 16, 2020, when Drug Squad officers found the list while searching a property during an unconnected investigation.

In recent weeks, the RGP has been contacting people affected by the breach, in line with its data protection obligations.

It has also put in place measures to prevent this happening again.

“The RGP have taken this data breach very seriously,” a spokesman for the RGP told the Chronicle.

“Everyone on the telephone list has now been written to.”

“This includes serving RGP officers, now retired officers, support staff and members of the Tenants Association.”

“No-one on the list has reported that there have been any untoward contacts, either by phone or by message, since the data breach three years ago.”

The police investigation into the data breach established that the list had been part of the documentation kept at a Neighbourhood Police office opened in 2012 in Glacis Estate.

The office was closed in 2018 after the RGP realigned its manpower resources but later that year, the empty premises were broken into.

“It is believed that these documents had been left behind in the Glacis neighbourhood office when the RGP moved out,” the police spokesman said.

“They were then removed when the office was broken into in October 2018.”

“We are unaware if anything else was stolen at that time.”

At the time that the list was recovered, data protection was one of many responsibilities carried out by one Inspector at New Mole House.

The role of Data Protection and Information Management at the RGP has since become a fulltime job for two officers.

Under new data protection policies implemented by the force, no “hard copy” documents may now be taken out of New Mole House, other than when required in court.

The data breach was reported to the Gibraltar Regulatory Authority, which regulates data protection in Gibraltar, on October 19, 2020, three days after it was discovered.

The GRA declined to comment on the case or whether the RGP would face any sanction arising from the data breach.

“I can confirm that the matter was reported to the Information Commissioner last October,” a spokesman for the GRA said.

“At this stage however, the matter remains under investigation and no further information can be provided.”