chalabala - Fotolia

London council fined by the ICO for disclosing personal information held on Met Police Gangs Matrix

The London Borough of Newham has been fined for disclosing the sensitive personal information of more than 200 individuals that police held information on

The Information Commissioner’s Office (ICO) has fined the London Borough of Newham £145,000 for “the unfair and excessive” disclosure of personal data belonging to 203 individuals featured on the Metropolitan Police Services’ (MPS) controversial Gang’s Matrix database.

The ICO investigation found that a Newham Council employee had sent an email containing both redacted and un-redacted versions of the Gangs Matrix to 44 recipients in January 2017.

When individuals are placed on the Matrix, they are assigned an automated “harm” score, which is supposed to show how likely they are to commit a violent offence.

However, 40% of people on the Matrix have a harm score of zero, and 64% are included in the lowest risk “green” category. A number of individuals have also been included on the Matrix for being the victims of stabbings.

Out of the 203 people who had their information shared by Newham, at least 80 had a harm score of zero.

According to the monetary penalty notice issued by the ICO, copies of the Matrix were sent by the MPS to the Newham Youth Offending Team (YOT), which then forwarded it to a variety of Newham departments and external statutory agencies.

The notice also said that the MPS has been providing the YOT with updated versions of the Matrix on a near-monthly basis since 2014, providing both redacted and un-redacted versions on every occasion.

The un-redacted version included the data subject’s home address, name, ethnicity, age, and their Police National Computer (PNC) ID, among other personally identifying details.

“Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the un-redacted database with a large number of people and organisations, when a redacted version was readily available,” said deputy information commissioner James Dipple-Johnstone. “The risks associated with such a transfer of sensitive information should have been obvious.”

The ICO penalty notice added that since the un-redacted Matrix was shared there have been a number of violent incidents, including murder, involving people whose information appeared in the compromised pages.

While the ICO avoids drawing any causal connection between the incidents, they have been highlighted in the notice as examples of the extent of harm that could result from a breach of this kind.

“This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations,” said Dipple-Johnstone.

“Ultimately, personal information must be processed lawfully, fairly, proportionately and securely, so the community can have confidence that their information is being used in an appropriate way.”

While the MPS maintained to the ICO that it had not given permission for the un-redacted database to be shared more widely, Newham was unable to identify any written policy, guidance or agreement on how to handle, store or distribute the information in compliance with the Data Protection Act.

The data-handling practices of the MPS, however, have been the subject of a separate enforcement notice, issued in November 2018, which found that its use of the Matrix had led to serious breaches of data protection laws.

Despite the MPS’ deadline for compliance being May 2019, it has been revealed that police are already secretly piloting a similar multi-agency database in Lewisham called the Concern Hub, which it planned to announce and roll out in April, a month before the enforcement notice ended.

Civil society groups and activists have expressed concern over the new database, fearing it would be a repeat of the Gangs Matrix and lead to further discrimination.

As of yet, it is unclear how the Concern Hub will be different from the Matrix, and if there will be any written guidance on how to lawfully share the data on it.

Read more about technology and the police

  • MI5 and the Metropolitan Police are looking into greater use of data analytics to support activities around tackling terrorist threats.
  • The Home Office and the Department for Transport (DfT) are investing nearly half a million pounds in the development of technology to tackle the issue of people carrying concealed blades in public places.
  • Rising volumes of digital forensic evidence, public demands to engage with the police online, and reduced budgets need to be handled with more “imaginative” use of data, along with regulation, according to research by independent think tank the Police Foundation.

Read more on Security policy and user awareness