London borough fined £145k for sharing data on 200 suspected gang members
Newham Council worker sent email with info including names and address
Credit: Daniel Reinhardt/DPA/Press Association Images
The Information Commissioner’s Office has fined the London Borough of Newham £145,000 for disclosing personal data related to more than 200 alleged gang members.
The ICO noted that the data disclosed by the council subsequently found its way into the hands of rival gangs, and that some people whose information was leaked suffered violent attacks – although the regulator stressed that “it is not possible to say whether there was a causal connection between any individual incidents of violence and the data breach”.
The breach in question occurred in January 2017, when a member of staff at Newham Council emailed 44 people with both a redacted and unredacted version of the Gangs Matrix database that had earlier been supplied to the authority by London’s Metropolitan Police Service. Included in the unredacted version was personal information related to 203 alleged gang members – including names, addresses, dates of birth, gang affiliations, and history with weapons.
The email was sent to Newham’s youth offending team, as well as to various external agencies, including a voluntary agency that works with the council to tackle gang crime.
ICO investigators found that, later in 2017, rival gangs got hold of photos of the unredacted database shared by the council. These images were reportedly obtained via Snapchat.
The regulator added that, while it could not state with certainty there was a connection, the people whose data was leaked were among the victims of “a number of incidents of serious gang violence” in Newham during 2017.
Newham Council also failed to report the incident to the ICO, and did not commence its own internal investigation until December 2017, which the regulator said was “a significant time after they became aware of the breach”.
“We recognise there is a national concern about violent gang crime and the importance of tackling it,” said deputy information commissioner James Dipple-Johnstone. “We also recognise the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely."
“Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.”
In response, the council said that no-one has yet established how the information - which it said was inadvertently shared by one of its employees - got into the public domain. It added that it has made changes to its processes for managing and processing personal data.
Mayor Rokhsana Fiaz said: "On behalf of Newham Council I accept the seriousness of the unredacted gangs matrix list being distributed on this single occasion in January 2017 and am sorry that it happened. While there were information sharing protocols in place at the time, clearly they could have been better. The Information Commissioner has recognised that the breach was not deliberate and we welcome that. Since becoming mayor in May last year I have been embedding an enhanced culture of safeguarding across the organisation and this includes the internal control of sensitive safeguarding data in line with ICO requirements and new data protection regimes."
PublicTechnology editor Sam Trendall believes that the government’s online harms strategy must address their impact, as well as their cause
Lords urge Home Office to widen promotion and ensure EU citizens have physical documentation of status
Ruth Milligan of techUK explains why the government must take the lead to ensure the UK implements a system of digital identities
Funding situation still uncertain but blog post reveals rapid response unit will continue through 2019