The Information Commissioner has issued an Enforcement Notice against the Metropolitan Police Service (MPS) after an investigation found that the operating model governing use of an intelligence gathering Gangs Matrix database was in breach of the Data Protection Act 1998.
The Gangs Matrix is a compilation of data from the 32 London Boroughs, who all operate their own Matrix, and stored personal data such as full names, dates of birth, home addresses, and information on whether someone is a prolific firearms offender or knife carrier. The ICO concluded that while there was a valid purpose for maintaining the database, inconsistencies in the way the operating model was used meant that the DPA 1998 was breached.
Some of the breaches set out in detail in the Enforcement Notice are rather damning. A few examples set out show the issues that the ICO unearthed:
“The Model set no retention period for gang nominal information and in some Boroughs, when a data subject was removed from the Gangs Matrix, their personal data was nonetheless retained on an informal list of ‘gang associates’ held at local level on the relevant officer’s personal system drive.” [25-26]
“the Gangs Matrix was being shared by the MPS in full, in unredacted form and to a range of public authority and private body third parties with both statutory and non-statutory functions….Such blanket and undifferentiated sharing of personal data and sensitive personal data (because some data concerns criminal convictions or allegations of the commission of criminal offences) is disproportionate: it goes beyond what is reasonably necessary to achieve the MPS’s legitimate purposes in preventing and detecting crime and prosecuting offenders.” [37-38]
“No equality impact assessment was produced and the MPS also failed to carry out a data protection or privacy impact assessment of the Matrix at any point. Compliance with section 149 of the Equality Act 2010 is a legal duty so non-compliance rendered the consequent processing of personal data unlawful contrary to DPP1.” [42]
“Gangs Matrix data has been routinely transferred by MPS officers in a variety of unsecured ways. It was not encrypted.” [49]
“the approach, noted above, of at least some officers within the MPS that a person who is the victim of more than one gang-related crime is presumed to have gang associations themselves and is identified as such in the Gangs Matrix. More generally, the Matrix itself guides officers that being a victim of gang-related violence is part of that individual’s crime history for the purposes of Matrix scoring assessments. Whilst the assumption of gang involvement of victims may be accurate in some cases, it cannot be said to be uniformly accurate. The Matrix does not accurately or fairly note that a victim has been included on the Matrix solely or primarily because of their victim status; the context will not be apparent to all officers and still less to the third parties to whom the data is provided. This a contravention of DPP4.” [57]
In all, the ICO found that five Data Protection Principles has been breached. Such was the seriousness of these breaches and the sensitive nature of the data being processed, they rejected the MPS’s request not issue the notice and instead give them to have six months to respond a Preliminary Enforcement Notice.
An interesting aspect of the investigation is that it reveals the weight placed by the ICO on the need for data processing to be considered in the context of the Equality Act 2010.
For more, read the ICO news story and the full Enforcement Notice.