London borough of Newham fined £145,000 over gang members' data leak
The Information Commissioner’s Office (ICO) has fined the London borough of Newham £145,000 following a data breach that led to the disclosure of the personal details of 203 ‘gang members’ featured on the Metropolitan Police Service’s (MPS) Gangs Matrix.
The database records intelligence related to alleged gang members in London, which is shared with relevant bodies to help tackle gang activity in their areas.
However, an ICO investigation found that the information about gang members was leaked in January 2017 after a Newham council worker emailed the redacted as well as unredacted copies of the Gangs Matrix to 44 recipients, including the council’s youth offending team and a voluntary agency. All these agencies cooperate with each other in an effort to check gang violence in the area.
The council only discovered the leak in December 2017 and initially considered it an internal matter – failing to notify the ICO, as required by law.
The data was originally sent to the council by the MPS. The details leaked as a result of the data breach included addresses, dates of birth, associated gangs and information on whether the individuals were prolific offenders (carrying firearms) or just carried knives habitually.
The ICO found that due to the negligence of the council staff, the leaked information eventually reached the social media network Snapchat before finding its way into the hands of rival criminal gangs.
In 2017, a surge in gang violence, including murder, occurred in the borough of Newham, with victims including those whose information was leaked through the shared Gangs Matrix.
According to the ICO, it was “not possible to say” whether the attacks happened as a result of the breach, but it highlighted that such leaks of personal data can cause “significant harm and distress” to many people.
The ICO also found that the council had no guidelines or policy in place for its staff regarding how to securely use and handle the Gangs Matrix database.
“This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations,” said James Dipple-Johnstone, deputy commissioner of the ICO.
“Ultimately, personal information must be processed lawfully, fairly, proportionately and securely, so the community can have confidence that their information is being used in an appropriate way.”