In April 2019, the Information Commissioners Office (ICO) fined the London Borough of Newham £145,000 for the wrongful disclosure of the personal information of more than 200 people who featured on the Police intelligence database – the Gangs Matrix.
The Gangs Matrix is a database that holds information of alleged gang members. The council, police and other statutory partners use the matrix to support their work in preventing and detecting crime, deterring gang activity and offering support for vulnerable children and young people.
The Information Commissioner has issued an enforcement notice to the Metropolitan Police Service in a bid to drive them to make changes to the matrix in order to ensure it complies with data protection laws.
The Gangs Matrix had been sent to Newham Council by the Metropolitan Police Service as they were partners working together and with others to tackle gang violence in the Borough. In January 2017, a council employee sent an email to 44 recipients which included the council’s own Youth Offending Team as well as external organisations. That email contained both redacted and unredacted versions of the Gangs Matrix.
As a result, information pertaining to 203 individuals was shared. The information included dates of birth, home addresses, names of their alleged associated gangs and whether they were knife carriers or prolific firearms offenders.
In 2017, after the breach, the London Borough of Newham experienced a spike in gang related violence with victims including people who featured on the shared Gangs Matrix. The ICO investigation found that after the breach, rival gang members had obtained and shared via social media – photographs of the unredacted information from the Gangs Matrix. That same year, a 14 year old boy who was named in the released information died and the Mayor of Newham has apologised personally to the mother of the boy for the ‘profoundly regretful data breach1 ’.
The ICO investigation concluded that there was no evidence to show that the breach directly resulted in the increased gang violence activity experienced in the borough, but equally no evidence to show that it did not.
The investigation found:
James Dipple-Johnstone, the Deputy Commission from the ICO said2 :
“Data protection is not a barrier for information sharing but it needs to be compliant with the law. One of the ways in doing this is by conducting data protection assessments. We have a data sharing code which provides guidance on how to share data safely and proportionately, and we will soon be publishing an updated code”.
The Information Commissioners Office is currently reviewing and updating this Code3 following the change of the Data Protection Act 2018 becoming law. It is comprehensive and still very much a valid and useful resource tool for organisations to follow in its current state. The final code is expected to be released by the ICO in the autumn 2019.
The introduction of the General Data Protection Regulation (GDPR) has increased the compliance obligations in relation to how personal data is shared. When you set this against the background that local authorities are working in partnership with other bodies to deliver their services now more than ever before it highlights a complex working environment fraught with risk and challenge.
In response to the investigation; Newham Council has made changes to its management and processing of personal data which includes reviewing procedures and data sharing agreements, carrying out data impact risk assessments, using secure mail, mandatory training and an independent compliance audit.
These are all positive steps to take and the key message for your own organisation is to ensure your own procedures are robust enough to catch such an error through your current control framework. If not, it is worth seeking independent advice to understand how you can strengthen your own arrangements and tighten your data control mechanisms.
Practical steps that can be taken include:
Newham Council publicly apologised via its website following the outcome of the investigation and reaffirmed their commitment to protecting their young people. They accepted the gravity of the breach and laid out assurances that they would learn lessons and change practice and protocol to ensure data is protected, shared and stored correctly.
Despite positive conscious action to manage data effectively, there is always the possibility that a breach can occur. More often than not this is due to human error rather than an inadequate process. How you respond to this situation is of paramount importance. Acting quickly, reporting to the ICO and advising all individuals affected by the breach, investigating without delay and implementing urgent corrections to prevent reoccurrence are all key in effectively taking control back of the situation.
Risk Management Partners Limited is the data controller of any personal information you provide to us or personal information that has been provided to us by a third party. We collect and process information about you in order to arrange insurance policies and to process claims. Your information is also used for business purposes such as fraud prevention and detection and financial management. This may involve sharing your information with third parties such as insurers, reinsurers, other brokers, claims handlers, loss adjusters, credit reference agencies, service providers, professional advisors, our regulators, police and government agencies or fraud prevention agencies.
We may record telephone calls to help us monitor and improve the service we provide. For further information on how your information is used and your rights in relation to your information please see our privacy notice at https://rmpartners.co.uk/privacy-policy. If you are providing personal data of another individual to us, you must tell them you are providing their information to us and show them a copy of this notice.