The report says some police staff used their access to a growing trove of police data, which includes personal information on civilians, for entertainment and personal and financial gain.
The report, which is based on Freedom of Information requests sent to all UK police forces, raises questions about the police's ability to protect civilian data. Specifically, privacy advocates are concerned about access to Internet Connection Records, which is the new type of data that would be collected under the UK's Investigatory Powers Bill.
In several notable incidents, one Metropolitan Police officer found the name of a victim so funny that he attempted to take a photo of the driving license and send it to his friend over Snapchat. A Greater Manchester Police officer tipped someone off that they would be arrested, and one from North Yorkshire Police conducted a check on a vehicle on his phone whilst off-duty.
This long series of incidents paints a bleak picture for what police officers might get up to if they are granted access to so-called Internet Connection Records
The report also includes incidents of staff distributing other types of police data. Someone from South Wales Police was dismissed after photographing and distributing restricted documents "for personal gain," the report said.
Not only was some information not needed for official police work, according to the report, but was shared with third parties outside the police, including some organized crime groups, 877 times.
In total, 2,315 incidents of inappropriate access or distribution of data were reported.
The majority of incidents, 1,283, ended up with no disciplinary action taking place, while 297 ended in a resignation or dismissal, 258 resulted in a written or verbal warning, and 70 led to a criminal conviction or caution.
Of course this long series of incidents paints a bleak picture for what police officers might get up to if they are granted access to so-called Internet Connection Records (ICRs). These records will include a list of every website the civilian has visited along with other connections that their devices and computers make, such as when they were using a certain chat service. Internet service providers will be forced to collect ICRs on all their customers if the Investigatory Powers Bill, which is currently making its way through the House of Lords, becomes law.
It's not hard to imagine certain police officers trying to take advantage of this data for their own ends—checking in on a lover's browsing history? Using the data to blackmail someone who visited a particularly embarrassing site?
With that in mind, Big Brother Watch makes several recommendations, including criminal records for serious data incidents, and mandatory reporting of an incident that concerns a member of the public.
"The Metropolitan Police Service takes data security very seriously and will take robust action where it is shown that any of its 45,000 officers or staff have fallen short of their legal responsibilities or the Code of Ethics," a Metropolitan Police spokesperson told Motherboard in an email.
"Employees are regularly reminded of their responsibilities and as the figures show only a small proportion of the Met's employees fail to meet the required standards. However, we are not complacent and fully recognise that our role, and the trust placed in us, as the Capital's police service requires the utmost discretion in the way we manage the huge amount of personal information we come into contact with on a daily basis."