The force is being investigated for obtaining information on “persistent” complainants after it asked an NHS trust to provide medical details.
The force was provided with personal data on 16 people, without their knowledge, after a request was made to the trust running St George’s mental health hospital in Stafford.
Police asked for details on the complainants, asking if they were “known to mental health services and what for”.
The request led to an investigation being launched by the Information Commissioner’s Office (ICO) after one of those involved complained.
The ICO is looking into a potential illegal breach of the Data Protection Act, saying it is “reviewing the complaint” and has warned the force it must comply with data legislation.
The request was made to Midlands Partnership NHS Trust (MPFT), which runs St George’s Hospital. The trust said the worker who received the email “duly responded to this request” and that doing so was “outside of trust protocol and the ISA (Information Sharing Agreement) between the two organisations”.
Lawyers for Staffordshire Police said the request was made to ensure the complainant was “dealt with in the most appropriate way”.
The group of 16 was on a watch list as they had lodged regular complaints with the force.
At one point the ICO suspected Staffordshire Police had breached the Data Protection Act 1998 (DPA98) but the force has said it was not found to have been in breach of the act.
Documents shared with the Express & Star revealed details of various stages of the investigation and contained criticism of the force from the ICO over its actions.
The MPFT accepted the personal data should not have been shared and admitted to a "breach of duty", the documents showed.
The request was made by the force's mental health co-ordinator, on the orders of an unnamed detective inspector, in March 2016. But it was not until more than two years later, in May 2018, that a complaint was made to the ICO when one of the 16 became aware his details had been shared. It is not known whether the other 15 were informed. They were described by the force's legal team as "complainants who had corresponded with the force complaints department on a regular basis".
The trust referred itself for investigation by the ICO after becoming aware of the breach. Staffordshire Police did not report the matter to the ICO, despite requesting the information.
A 62-year-old man who was among the 16 to have his data shared and reported the force after becoming aware of what happened said the affair had destroyed his trust in both the police and NHS.
The man, who asked to remain anonymous, said: "Both my wife and I were really shocked that this had gone on. It throws both organisations into disrepute. I don't trust the NHS anymore as a result of it. I would be loath to discuss anything with my own GP anymore. I certainly don't trust the police. What the hell they are doing with these checks? It's disgusting."
A letter from the trust's Adrian Marsden referring itself to the ICO for investigation contained details of the original email.
The letter said: "On March 18, 2016, a member of our staff at South Staffordshire and Shropshire Healthcare Foundation Trust (now MPFT) was directly approached by the force mental health co-ordinator at Staffordshire Police advising that they 'had been asked by Professional Standards to have a look at the list of persistent callers to the force. Firstly however I would like to know if any of these people are known to mental health services and what for. If you could kindly have a look at the list and let me know I would be very grateful'.
"The individual duly responded to this request, this action is outside of trust protocol and the ISA (Information Sharing Agreement) between the two organisations."
An investigation was then launched by the ICO. In a letter to the Staffordshire force dated September 2018 updating it on the probe, it said: "Having considered this matter we do believe that SP (Staffordshire Police) contacting the NHS for the disclosure of personal information data is not the appropriate way of determining the service needs of an individual and we are concerned that SP has done this in (this) case.
"As such in our view it is likely that SP has contravened the DPA98 in this case by asking the trust to disclose personal data to them."
It continued: "We would strongly suggest that SP reviews this process of obtaining information from the NHS in cases like this (if it is still being used) and ensures that any requests for personal data is done in accordance with the data protection legislation."
When approached by the Express & Star, Staffordshire Police said it had not been found to have breached the DPA98. The ICO has only said it is "reviewing the complaint".
A Staffordshire Police spokeswoman said: "Staffordshire Police’s Performance and Standards Department requested information from the NHS in 2016 for a policing purpose based on safeguarding concerns. The Information Commissioner’s Office found that Staffordshire Police had not breached the Data Protection Act. They have suggested that the force ensures any requests for personal data is done in accordance with the data protection legislation.”
MPFT admitted it had breached the act.
A spokeswoman said: "The trust has been made aware of the DPA breaches and investigated fully, appropriately making a referral to the Information Commissioners Office. The trust takes information governance seriously and all staff complete annual training. Unfortunately, on this occasion, mistakes were made and the process was not followed. The trust has taken and will continue to take steps to protect against any further DPA breaches in the future."