ICO fines London council for Police Gangs Matrix breach
The Information Commissioner's Office (ICO), has fined the London Borough of Newham £145,000. This comes after a breach disclosed the personal information of more than 200 people who featured on the controversial Gangs Matrix.
This case was considered under previous data protection legislation. If it had been brought under the General Data Protection Regulation, the fine could have been much higher.
What happened in the Police Gangs Matrix data breach?
The Gangs Matrix was set up following the 2011 London riots. It contains the names and personal details of thousands of people. According to the Met, these individuals either pose a risk of committing gang violence, or of becoming victims.
In January 2017, a council employee sent an email to over 40 recipients that contained an unredacted version of the Gangs Matrix. This included dates of birth, home addresses, and information on whether they were a prolific firearms offender or knife carrier. As well as their alleged associated gang.
The recipients of the email included partner organisations that work together to respond to gang-related crime. Between May and September 2017, rival gang members managed to obtain photographs of this information via the social media platform Snapchat.
What was the impact of the Police Gangs Matrix data breach?
During 2017, the Borough went on to experience incidents of serious gang violence. The victims included people whose data had been violated.
There is no concrete evidence that the data breach and the violence are connected. But the ICO recognises that significant harm and distress can be caused when this type of sensitive personal information is not kept secure.
The ICO has established several failures by Newham Council
Following its investigation, the ICO found that Newham Council had no specific sharing agreements, policy or guidance in place to regulate how its staff and partner organisations securely handled and used the Gangs Matrix.
To make matters worse, the Council did not report the data breach to the ICO. It did conduct an internal investigation. But this did not take place until many months after the breach was discovered.
Speaking about the data breach, the deputy commissioner of the ICO said: "Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious."
He added: "This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations.
"Data protection is not a barrier for information sharing but it needs to be compliant with the law. One of the ways in doing this is by conducting data protection assessments. We have a data sharing code which provides guidance on how to share data safely and proportionately, and we will soon be publishing an updated code.
"Ultimately, personal information must be processed lawfully, fairly, proportionately and securely, so the community can have confidence that their information is being used in an appropriate way."
This is not the first time the database has caused problems
In total, the Gangs Matrix holds details of around 3,500 people. Some of who are as young as 12. It stores their full name, date of birth, and home address. It also holds information on whether someone is a firearms offender or a knife carrier. Also, each individual is allocated a green, amber or red rating indicating their apparent risk of violence.
Concerns have been raised that the matrix violates human rights. Not least because young black men and boys make up more than three-quarters of the list. What's more, the Guardian found that in one London borough, 40% of young people on the list had "zero" risk of causing harm.
In response, the ICO has undertaken a separate review of the database. This found that a failure to adhere to data protection principles potentially caused "damage and distress" to the disproportionate number of black men on it. In response, the Metropolitan Police force was ordered to radically reform the matrix.
What can you do if you have suffered because of this data breach?
According to the ICO, problems with the Gangs Matrix go back to 2011 and created a plausible risk to this data. There is also real concern about the impact on its mainly black and ethnic minority data subjects (people on the database).
If you have suffered damage or distress caused by the Gangs Matrix you have a right to claim compensation. To find out how we can help you recover any losses, contact us to discuss your case in more depth.