UK data watchdog the Information Commissioner’s Office has found that the Metropolitan Police Service’s Gangs Matrix system breached data protection laws.

The Gangs Matrix was set up in 2011 following the London riots and stores data such as names, addresses, date of birth, violent crime history and social media posts on individuals.

The ICO found that while there is a “valid purpose” for the Gangs Matrix, it lacks oversight and does not distinguish between the victims and perpetrators of gang crimes.

Some London boroughs continued to monitor people after they had been removed from the Gangs Matrix. Data was also shared with third parties that did not distinguish between high-risk and low-risk names.

“Our aim is not to prevent this vital work, nor are we saying that the use of a database in this context is not appropriate; we need to ensure that there are suitable policies and processes in place and that these are followed,” said deputy information commissioner of operations, James Dipple-Johnstone.

“Clear and rigorous oversight and governance is essential, so the personal data of people on the database is protected and the community can have confidence that their information is being used in an appropriate way.”

Gangs Matrix found to be “racially discriminatory”

The ICO launched its investigation in October 2017 after human rights organisation Amnesty International published a report into the Gangs Matrix, branding it as “racially discriminatory”.

According to the BBC, figures from July 2016 showed 78% of people on the list were black, while black people make up about 13% of London’s population.

Responding to the ICO’s verdict, Amnesty International technology director Tanya O’Carroll described the Gangs Matrix as “currently not fit for purpose”.

“As the ICO state, the absence of effective central governance has risked causing damage and distress to many people – mainly young, black men – who are on the Gangs Matrix.

“While we welcome the findings, we would urge the Mayor’s own forthcoming review to ensure that their own recommendations are robust, and address the concerns raised in our report Trapped In The Matrix.”

O’Carroll added that the database should be disbanded if it could not meet international human rights standards.

3 Things That Will Change the World Today

A “lack of data governance”

Robert Wassall, director of legal services at ThinkMarble told Verdict that the ICO’s enforcement action comes down to the “lack of data governance.”

“In other words, it’s not what the MPS was doing that was wrong, it was how they went about doing it.”

“Unfortunately, the failure to put in place both a suite of suitable data protection related policies and processes and a mechanism to ensure that these are followed is a mistake many organisations make.

He added that these types of failures usually occur when organisations don’t have an expert overseeing data practice, such as a data protection officer.

“Every organisation that wants to comply with the GDPR and that values protecting people’s privacy should ensure there is someone who will ensure it has put in place an effective data governance structure,” he said.

What next?

The ICO has issued an enforcement notice and has compelled the Metropolitan Police Service to make a range of changes over the next six months.

These include improving guidance, correctly distinguishing between victims and suspects, erasing people who do not meet the Gangs Matrix criteria and ensure the correct protocol is followed when sharing information with other agencies.

Because of the timing of the data misuse, the ICO handled the case under the Data Protection Act 1998 instead of GDPR.

ICO deputy commissioner Dipple-Johnstone added:

“I am pleased that the MPS has been co-operating with us and has committed to bringing the Gangs Matrix in line with data protection laws, and we will continue to work with them.

“I believe that by taking these steps and demonstrating that people’s data rights matter to them, the MPS will be able to build increased trust amongst their communities.”

Read more: AI’s role in addressing data overload and GDPR compliance