South Yorkshire Police Data Loss

Susanne Reid - Data Protection Consultant

In this article written by Susanne Reid, Data Protection Consultant here at Data Protection People shares her thoughts on the South Yorkshire Police Bodycam Data Loss and talks about how it relates to Data Governance and SAR Compliance.

ICO Reprimands South Yorkshire Police Over Deletion of 96,000 Bodycam Videos

In July 2023, South Yorkshire Police (SYP) accidentally deleted over 96,000 pieces of body-worn video (BWV) evidence. The fallout has raised serious questions around data governance, SAR compliance, and organisational accountability. The Information Commissioner’s Office (ICO) has now formally reprimanded SYP, stating that the data loss was avoidable and the result of governance failures, not just technical issues.

For data protection professionals and organisations handling personal data, this case is more than a headline. It’s a warning sign.

What Happened at South Yorkshire Police?

Following a system upgrade in May 2023, South Yorkshire Police experienced issues processing BWV footage. A temporary workaround was introduced but, on 26 July 2023, 96,174 original video files were permanently deleted.

While 95,033 of those files had reportedly been copied to a new system before deletion, SYP admitted that incomplete record-keeping made it impossible to confirm exactly how much data was lost.

The damage wasn’t just operational. The loss impacted 126 criminal cases, and significantly, it also compromised the force’s ability to respond to Subject Access Requests (SARs).

Why This Matters for Subject Access Requests (SARs)

Under UK GDPR, individuals have the right to access their personal data. When records are lost because of poor governance, those rights disappear.

Article 15 gives individuals the right to access their data. Article 5(1)(d) requires organisations to keep data accurate and up to date. Deleting thousands of files by mistake is the opposite of compliance.

It’s a reminder that SARs aren’t just an administrative process. They depend on good governance, reliable systems, and a culture that treats data as valuable.

What Went Wrong at SYP

The ICO identified several failings:

No adequate backup solution in place
Poor or missing risk assessments before transferring data between systems
Weak or inconsistent record-keeping
Inadequate documentation of file retention and deletion

These are not isolated technical failures. They are systemic governance gaps that many organisations, public and private, may unknowingly share.

Lessons for Organisations: Building a Resilient Data Governance Framework

So, what can we learn from this? Here are four actions that every organisation should consider:

1. Robust Data Mapping
Know what personal data you hold, where it’s stored, and who has access to it. Without this, even the best systems are blind spots waiting to happen.

2. Turn Policies Into Practice
Define procedures for data collection, access, transfer, backup, and deletion. Make sure these are enforced, not just written.

3. Proactive Risk Assessments
New systems, upgrades, or vendors all bring risks. Identify them before switching anything on.

4. Audit and Stress-Test Regularly
Don’t wait for an ICO reprimand to discover your governance is failing. Run reviews and spot-checks as part of business as usual.

FAQs: Data Loss, SARs, and Governance

What is the risk of poor data governance?
It’s more than just an IT headache. Poor governance can block SAR responses, lead to regulatory action, damage your reputation, and even trigger legal claims.

What happens if you can’t fulfil a SAR because the data is lost?
You’re still expected to respond. You must tell the individual that the data is no longer available and explain why. But if the loss was avoidable, the ICO may still see it as a failure to meet your GDPR duties.

Is it a breach if the data was deleted but not accessed by a third party?
Yes. A personal data breach isn’t just about leaks. Under Article 33, loss, destruction, or unauthorised alteration of personal data can all count as breaches — even if no third party saw the data.

Do backups need to be GDPR compliant too?
Absolutely. Backups are still personal data. They must follow the same rules on security, retention, access, and lawful processing. A backup that isn’t GDPR-compliant isn’t really a backup at all.

How Data Protection People Can Help

At Data Protection People, we specialise in helping organisations build proactive, scalable data governance frameworks that reduce risk and support GDPR compliance.

We support clients with:

Data mapping and retention policies
SAR readiness assessments
Back-up and deletion strategy audits
Staff training and policy creation
DPIAs for system changes and upgrades

Whether you’re a police force, public authority, or commercial business, we’ll help you move from reactive data management to proactive governance.

Need help improving your data governance or SAR processes?

Speak to a data protection expert

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

External Attack Surface Management

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

GDPR Toolkit

Information Rights Request

24/7 Support whenever you need it