The ICO has fined Newham Council in London a massive £145,000 after the council emailed 44 recipients (both internal and external stakeholders) with an unredacted copy of the Metropolitan Police Service updated Gangs Matrix database. The database had the names, addresses, ages, alleged gang allegiances and criminal convictions.
The wider publication of this database did result in an upsurge of criminal gang activity in Newham with people on this database directly targeted. However, this upturn cannot be argued to be causally connected to the data breach.
The ICO states:
“We recognise there is a national concern about violent gang crime and the importance of tackling it. We also recognise the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely.
Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.
This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations.
Data protection is not a barrier for information sharing but it needs to be compliant with the law. One of the ways in doing this is by conducting data protection assessments. We have a data sharing code which provides guidance on how to share data safely and proportionately, and we will soon be publishing an updated code.”
The main problem with the breach wasn’t the distribution but the glaring lack of data protection frameworks like sharing agreements, policies and guidance notices to help staff understand their responsibilities. If you’d like to know more about data protection and your rights as a business, why not visit this useful service created by the ICO?