The Information Commissioner’s Office (ICO) has published a stinging rebuke of the Metropolitan Police Service for multiple and serious data breaches in its use of the Gangs Matrix database.
It said an investigation has revealed a series of shortcomings in the way the force used the database, leading to it breaking data protection rules on several counts.
The ICO has now issued an Enforcement Notice, giving the Met Police six months to make changes to ensure it complies with data protection laws in future.
Gangs Matrix records intelligence related to alleged gang members, with each of the 32 London boroughs operating their own version and feeding data into the central database. It includes full names, dates of birth, home addresses, and information on whether someone is a prolific firearms offender or knife carrier.
The ICO’s investigation, prompted by concerns raised by Amnesty International, unearthed a series of transgressions in how the Met Police was using the database.
Lack of distinctions
Among these were that it does not make clear whether a person is perpetrator or victim of crime; it was used inconsistently across boroughs; some boroughs kept lists of people removed from the database after apparently turning away from gang crime, enabling the Met Police to continue monitoring them; and there was blanket sharing with third parties that failed to distinguish between people assessed as high and low risk.
In addition, the Met Police did not carry out an equality impact assessment, there was no audit of the data processed, no effective central governance, and no information sharing agreements with third parties.
A big failure was the potential to cause damage and distress to the disproportionate number of young black men on the Matrix, said the ICO.
James Dipple-Johnstone, deputy information commissioner of operations, said: “Protecting the public from violent crime is an important mission and we recognise the unique challenges the MPS faces in tackling this.
“Our aim is not to prevent this vital work, nor are we saying that the use of a database in this context is not appropriate; we need to ensure that there are suitable policies and processes in place and that these are followed.
“Clear and rigorous oversight and governance is essential, so the personal data of people on the database is protected and the community can have confidence that their information is being used in an appropriate way.”
Compliance steps
The ICO subsequently ordered the Met Police to take a series of steps to comply with data protection laws. These include improving guidance on how to identify gang members, ensure that data on an individual is clearly marked to show whether they are victims or suspected offenders, and erase any informal lists of people who do not meet the Gangs Matrix criteria.
It also told the force to develop guidance on the use of social media as a form of verifiable intelligence, ensure that any sharing that does take place is secure and proportionate, and conduct a data protection impact assessment.
In response, the Met Police has acknowledged the shortcomings and launched an action plan to comply with the ICO’s demands.
The ICO also revealed that it is to run a second investigation on how partners of the police handle information, such as that provided through the Gangs Matrix, and is already investigating a data breach at Newham Council involving the database.
Image from iStock