The ICO has issued an enforcement notice, ordering the Metropolitan Police Service (MPS) to overhaul how it manages and shares data recorded on the Gangs Matrix, a database that records intelligence related to gang members.
The Gangs Matrix was created after the 2011 riots and has played a primary role in solving a wide range of serious crimes in London. However, it has been poorly managed since its inception. The law requires personal data rights to be respected, but the ICO has found that the Gangs Matrix breaches data protection laws.
The ICO began investigating the Met’s Gangs Matrix in October last year after Amnesty International raised concerns. The ICO has found that, although a valid purpose for the database exists, the Matrix was being used across boroughs in a noncompliant way.
The MPS’ operating model governs the use of the Matrix across the Metropolitan area. Each of the 32 London boroughs operates their own Matrix, which is then compiled centrally to form a larger London-wide Gangs Matrix.
The personal data of individuals recorded on the Gangs Matrix includes; full names, dates of birth, home addresses, and information on whether an individual is a firearms offender or knife carrier.
The Gangs Matrix can be shared with multiple public parties including local councils, housing associations and educations authorities. While the sharing of this data is necessary, it must be accomplished within the law. The way in which the data was being shared had the potential to cause damage and distress to those individuals on the Matrix.
Robert Peel, the founder of UK policing, said:
‘For the public to have confidence in the police, the police should also be bound by the law. This includes the law on data protection’.
Investigation outcomes include:
- The Matrix failed to clearly differentiate between victims of gang-related crime and the perpetrators.
- The operating model is ambiguous and is inconsistently applied across the boroughs (a mix of good and poor practice discovered).
- Individuals are kept on the matrix and monitored even after intelligence had shown that they were no longer active gang members, so personal data is processed after it’s no longer required and may be inaccurate.
- Excessive processing of data, failure to distinguish between high-risk and low-risk individuals on the Matrix and the potential for disproportionate action to be taken against people no longer posing a risk.
- Severe breaches of data protection laws with the potential to cause damage and distress to the disproportionate number of young, black men on the Matrix.
- The absence of Data Protection Impact Assessments.
- The absence of effective central governance, oversight or audit of data processed as part of the Matrix.
- The absence of information sharing agreements governing the purpose and use of the data by third parties and insufficient control and guidance over how third parties handle and use the data.
The MPS must ensure that the personal data on the Matrix is properly managed and shared appropriately, securely and fairly. The ICO has found that data of individuals not involved in gang crimes is being shared via the database. Additionally, potential discrimination issues exist. Incorrectly labelling individuals as gang criminals and sharing inaccurate data could result in severe and far-reaching effects on those individuals and could impact access to housing, education, social services and other public services.
The MPS are cooperating with the ICO. They have an action plan underway and have committed to making the changes needed to bring the Gangs Matrix in line with the data protection laws.
The ICO has confirmed it is currently investigating a data breach at Newham Borough Council involving the Matrix.
This case was dealt with under the provisions of the Data Protection Act 1998.