South Yorkshire Police (SYP) has been issued with a formal reprimand by the UK’s data protection regulator after more than 96,000 items of body-worn video (BWV) footage were permanently deleted.
The Information Commissioner’s Office (ICO) found that the force failed to put in place adequate safeguards to protect evidential material, despite warnings as early as 2019 that its IT backup capacity was at risk of failure. The watchdog concluded that SYP had breached sections 34 and 40 of the Data Protection Act 2018, which require police forces to demonstrate compliance with data protection principles and to process personal data securely.
While SYP has stressed that only a handful of criminal cases were directly affected, the regulator said the episode exposed “serious weaknesses” in the force’s approach to data security and record-keeping. It also warned that other police forces and public bodies using body-worn technology should learn lessons from the incident.
The deletion incident
Body-worn video has become a central part of modern policing, used both to reassure the public and to capture evidence at the scene of incidents. Officers are required to upload footage at the end of their shift into a central system, known as the Digital Evidence Management System (DEMS), which manages evidence alongside other digital records.
In May 2023, SYP upgraded DEMS, but the system soon began to struggle with processing data. As a temporary workaround, files were stored on a local drive, with the expectation that they would later be transferred into the central “Storage Grid” repository.
On 26 July 2023, during a data transfer carried out by the third-party supplier of the system, 96,174 original video files were deleted. The loss was not immediately detected. It was only in early August, when an IT manager noticed the system was running critically low on storage, that an investigation began.
By September, a forensic review confirmed the mass deletion. Although nearly 95,000 of the files had previously been copied into a new platform — the Digital Asset Management System (DAMS) — the copies were not consistently labelled, making it impossible to confirm exactly how many videos had been permanently lost.
The deletion covered material linked to 126 criminal cases. According to SYP, only three investigations were directly affected, and just one might otherwise have reached a first court hearing. The force said progression to prosecution was already doubtful in that case due to a lack of other independent evidence.
Beyond criminal proceedings, the loss also meant SYP was unable to provide video evidence in nine civil claims, one judicial review, and four subject access requests from members of the public.
ICO findings
The ICO’s reprimand set out a catalogue of failings. Among them were:
-
Delayed action on backup risks: Problems with backup capacity had been identified in 2019, but senior leadership was not fully briefed, and no remedial steps were taken. The result was that footage uploaded after July 2020 could not be restored once deleted.
-
Poor record-keeping: Files transferred to the new DAMS system were generically labelled, meaning SYP cannot now reconcile which specific recordings were lost.
-
Inadequate oversight of contractors: Although a contract existed with the third-party supplier, it lacked sufficient detail on how data should be processed. Remote access was routinely granted to the supplier without effective monitoring.
-
Failure to identify risks in advance: SYP had carried out a Data Protection Impact Assessment (DPIA) when body-worn video was introduced, but did not consider the risk of data loss during transfer between systems.
The regulator concluded that the force had breached its duty under section 34(3) of the Data Protection Act to demonstrate compliance, and under section 40 to ensure security of personal data used for law enforcement purposes.
Sally Anne Poole, the ICO’s Head of Investigations, said the case underlined the need for rigorous safeguards.
“People rightly have high expectations that our police forces and services, which protect us, also protect the personal information they hold.
This incident highlights the importance of having detailed policies and procedures in place to mitigate against the loss of evidence. There is a lot to be learned from this incident and I encourage police forces and other organisations using this type of technology to check and make improvements where they find potential flaws.”
Remedial steps and response
The ICO acknowledged that SYP has taken action since the loss came to light. The force reviewed each criminal case to assess whether the absence of footage would harm prosecutions or victims, attempted data recovery, and informed affected parties on a case-by-case basis.
It also began shadowing third-party contractors when they accessed IT systems, introduced more structured planning around data backup, and issued a public press release to notify data subjects.
Nevertheless, the ICO’s reprimand makes clear that these steps came only after substantial loss had already occurred.
Recommendations for improvement
Alongside the reprimand, the regulator issued non-binding recommendations aimed at preventing recurrence. They include:
-
Ensuring reliable backup systems and the ability to restore lost body-worn video.
-
Clearly defining roles and responsibilities of third-party suppliers when handling police data.
-
Completing risk assessments before granting contractors access to IT systems.
-
Reviewing data protection impact assessments to identify and mitigate specific risks, such as data transfer failures.
-
Improving record-keeping, so that files are individually identifiable and traceable.
The ICO emphasised that while the recommendations are voluntary, failure to act could be treated as an aggravating factor in any future enforcement action.
Broader context
The reprimand comes amid growing scrutiny of how police forces manage sensitive data. Body-worn video is seen as an essential tool in increasing transparency, deterring misconduct, and providing impartial evidence. But with those benefits comes an expectation that material will be securely handled.
Other forces have also faced regulatory action over data protection failures. In recent years, reprimands have been issued to forces including Surrey Police and Kent Police for shortcomings in handling personal data, while the Metropolitan Police has been subject to criticism over its management of large-scale databases.
The ICO has a range of enforcement tools, from reprimands — the lowest tier of formal intervention — to fines and enforcement notices. The choice of a reprimand in SYP’s case reflects both the seriousness of the loss and the steps taken since to reduce harm. But the decision also serves as a warning across policing that systemic IT vulnerabilities, particularly where third-party suppliers are involved, must be actively managed.
Public interest and trust
Although SYP has sought to downplay the impact on prosecutions, the loss of more than 96,000 pieces of potential evidence is significant. For victims, defendants and their representatives, the absence of video material may raise concerns about whether justice has been served in specific cases.
Equally, the failure to respond to subject access requests because footage was no longer available highlights risks to the public’s ability to exercise their rights under data protection law.
Body-worn video was introduced in part to build public trust. But as the ICO notes, that trust depends on police forces demonstrating that they can manage and protect the information they collect.
The incident is likely to add to calls for stronger oversight of digital policing projects, particularly as forces become increasingly reliant on contractors and complex IT systems. The National Police Chiefs’ Council and the Home Office have previously emphasised the importance of robust data governance in policing, while inspectors at HMICFRS have repeatedly identified shortcomings in forces’ management of technology.
Conclusion
The ICO’s reprimand of South Yorkshire Police underscores the risks inherent in managing large volumes of sensitive data without adequate safeguards. While only a small number of cases were directly affected, the loss of more than 96,000 files reflects systemic failings in backup provision, contractor oversight and record-keeping.
The regulator has stopped short of issuing a fine or binding enforcement order, but has set out clear recommendations. Should the force fail to follow them, the ICO has warned it could face tougher action in future.
For the public, this episode is a reminder that the same technology intended to increase confidence in policing can undermine it if not properly managed. For police forces nationally, it is a signal that the security of body-worn video evidence cannot be taken for granted.
____________________________________________________________________________
Neil Wilby is a journalist, court reporter and transparency campaigner who has reported on police misconduct, regulatory failures, and criminal and civil justice since 2009. He is the founder and editor of Neil Wilby Media, launched in 2015.
Page last updated: Wednesday 20th August 2025 at 12h25
Corrections: Please let me know if there is a mistake in this article. I will endeavour to correct it as soon as possible.
Right of reply: If you are mentioned in this article and disagree with it, please let me have your comments. Provided your response is not defamatory, it will be added to the article.
Image Credits: Police Scotland
© Neil Wilby 2015–2025. Unauthorised use, or reproduction, of the material contained in this article, without permission from the author, is strictly prohibited. Extracts from, and links to, the article (or blog) may be used, provided that credit is given to Neil Wilby, with appropriate and specific direction to the original content.
Neil Wilby Media 
Leave a comment