A London council has been fined by the UK’s data protection regulator after accidentally leaking highly sensitive police intelligence to non-authorized third parties.
The Information Commissioner’s Office (ICO) handed the London Borough of Newham in East London a fine of £145,000 for revealing the identities of more than 200 suspected gang members.
A council employee accidentally emailed 44 recipients redacted and unredacted versions of the Gangs Matrix back in January 2017, the ICO revealed late last week. These recipients included the council’s Youth Offending Team and outside voluntary organizations.
Information contained in the so-called “Gangs Matrix,” which had been provided to the council by the Metropolitan Police, included dates of birth, home addresses, associated gang and information on whether they were a prolific firearms offender or knife carrier, the regulator claimed.
Worse was to follow when it appeared that this information leaked onto Snapchat, where rival gangs shared photos of the database between May and September 2017.
The ICO noted a spike in gang violence in 2017, with many of the victims having appeared on the database, although it fell short of making a direct connection between this and the data leak.
“We recognize there is a national concern about violent gang crime and the importance of tackling it. We also recognize the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely,” argued deputy commissioner, James Dipple-Johnstone.
“Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organizations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.”
The local authority was also castigated for failing to notify the ICO promptly, beginning its own investigation only in December 2017.
The ICO has already issued an enforcement notice to the Met in November last year, requiring the police force to improve its data sharing arrangements regarding the matrix.
Newham council was prosecuted under the old data protection regime, given that the incident fell before the GDPR start date of May 25 2018.