The UK’s data watchdog has fined a council in the London borough of Newham £145,000 for disclosing the personal information of 203 people listed on a police intelligence database known as the ‘Gangs Matrix’.
Exposed information included dates of birth, home addresses, gang associations and whether they were likely to carry a gun or knife.
In its investigation, the Information Commissioner’s Office (ICO) found that these details were then obtained by rival gang members between May and September 2017. A spate of gang violence in the borough of Newham that same year included victims whose details were exposed in the data breach.
However, the ICO said “it is not possible to say whether there was a causal connection between any individual incidents of violence and the data breach”, although it did “highlight the significant harm and distress” from the leaking of personal information.
James Dipple-Johnstone, Deputy Commissioner, said: “We recognise there is a national concern about violent gang crime and the importance of tackling it. We also recognise the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely.”
Newham Council data breach: More controversy for the Gangs Matrix
The controversial Gangs Matrix, which was set up in 2011 following the London riots, is subject to a wider ICO investigation that saw it slap the Metropolitan Police Service with an enforcement notice in November 2018 for lapses in data protection laws.
The details of the 203 individuals exposed in the Newham Council data breach were leaked after a council employee sent an email that included an unredacted version of the Gangs Matrix list.
It was sent to 44 recipients that included the council’s own Youth Offending team. External organisations also received the email.
“Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.”
The ICO also found that Newham Council failed to report the data breach and took a “significant time” to launch its own internal investigation.
Public sector data concerns
The Newham council data breach reflects how, while the public sector is increasingly relying on data-driven initiatives, data security is a top concern in the public sector.
A survey carried out by Big Data LDN and Qlik found that 20% of UK public workers felt security concerns were holding them back from sharing data, with 13% worrying about a data loss or breach, while 5% worry about the General Data Protection Regulation (GDPR).
Dipple-Johnstone added: “This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations.
“Data protection is not a barrier for information sharing but it needs to be compliant with the law. One of the ways in doing this is by conducting data protection assessments. We have a data sharing code which provides guidance on how to share data safely and proportionately, and we will soon be publishing an updated code.
“Ultimately, personal information must be processed lawfully, fairly, proportionately and securely, so the community can have confidence that their information is being used in an appropriate way.”
The data breach is not subject to larger fines enforceable under GDPR because the breach occurred before it came into effect.
Instead, the fine was issued under the previous legislation, the Data Protection Act 1998, which has a maximum penalty of £500,000.