According to the Yorkshire Evening Post, Sanya Shahid “carried out unauthorised searches on the police computer system to access records in October 2020 when she had no legitimate policing purpose for doing so.”
A nine-month investigation into her conduct led to her arrest in May 2021. While press reports do not make all the details of the case clear, it is likely that it was possible to determine the officer at fault through the use of database system logs. These indicate which user has accessed a system, when they have done so, and for what reason.
However, changes to UK data protection law currently approaching their final stages in the House of Lords would eliminate the need for police forces to record the reason an officer has accessed a particular database.
The Data Protection and Digital Information Bill amends the 2018 Data Protection Act so that logs on consultation and disclosure of information held in law enforcement databases would no longer have to record the justification for consultation or disclosure.
The amendments would strike out the following text from the law:
(1) A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—
(a) collection;
(b) alteration;
(c) consultation;
(d) disclosure (including transfers);
(e) combination;
(f) erasure.
(2) The logs of consultation must make it possible to establish—
(a) the justification for, and date and time of, the consultation, and
(b) so far as possible, the identity of the person who consulted the data.
(3) The logs of disclosure must make it possible to establish—
(a) the justification for, and date and time of, the disclosure, and
(b) so far as possible—
(i) the identity of the person who disclosed the data, and
(ii) the identity of the recipients of the data.
