A recent enforcement notice issued by the Information Commissioner's Office ("ICO") against the Metropolitan Police Service ("MPS") demonstrates that no organisation, not even enforcement bodies themselves, are immune from data protection laws. It also demonstrates the need to carefully assess, in advance, the impact of high-risk processing of personal data.
Enforcement notices are one of the regulatory sanctions available to the ICO, and require a controller to take specified steps. Failure to comply with an enforcement notice is a criminal offence. The enforcement notice in question was issued under section 40 of the now-repealed Data Protection Act 1998 ("DPA98") (because the infringing events took place before 25 May 2018, when the General Data Protection Regulation ("GDPR") and the Data Protection Act 2018 came into force), but it points towards a potential expansion of focus by the ICO when it comes to regulatory action. Traditionally, almost all ICO action in response to data protection infringements has been regarding poor data security, but the MPS enforcement notice was, instead, served because of wider concerns regarding fairness, purpose-limitation and accuracy.
In response to the 2011 London Riots, the MPS set up a database known as the "Gangs Matrix". It records the personal data of individuals who are either gang members or suspected gang members (which, notably, includes the victims of gang-related crime). In some cases, the individuals were under the age of 18. After concerns were raised by Amnesty International, the ICO opened an investigation into the database, and found that there had been serious infringements of the DPA98. These included:
- retaining personal data for longer than necessary;
- excessive processing of data;
- processing data in a way which was not fair, lawful or in accordance with the conditions contained within the legislation;
- failing to take appropriate action against unauthorised or unlawful processing of data and against the accidental loss of personal data; and
- processing inaccurate data.
Data sharing between organisations
The Gangs Matrix contains personal data such as individuals' names, dates of birth, home address, identity code (which is used to identify ethnicity), rank and score per the Matrix criteria (reflecting an individual's levels of risk and harm) and police and partner intelligence information.
The personal data was shared between agencies and third party bodies, including housing associations, education authorities, the CPS and all 32 London Boroughs. It was shared for the purposes of potential enforcement and "diversion activity" against the suspected gang members. In this regard, the MPS relied on specified conditions in the DPA98 set out in Schedules 2 and 3, asserting that the processing was necessary under other statutory provisions, and for the administration of justice.
The ICO found that the data sharing was occurring informally between the MPS and the third parties. The data was often saved locally by individuals within the MPS and also by the third parties who received the personal data. This made it more difficult for the organisations to maintain control over who was accessing the data. Further, the MPS had failed to secure information sharing agreements with the third parties, which the ICO said was a basic necessity when sharing personal data between organisations.
The ICO was concerned about the large amounts of personal data being shared and the accuracy of that data. Crucially, the MPS had failed to carry out either a data protection or privacy impact assessment in relation to the Gangs Matrix. Although such impact assessments were not mandated under DPA98 (which they are now under the GDPR), they have for some time been recommended by the ICO as best practice for identifying and minimising the privacy risks of projects or policies. The ICO was particularly concerned that victims of gang-related violence were included in the Gangs Matrix without a distinction being made between them and the perpetrators of crime. The majority (64%) of the individuals in the Gangs Matrix were rated as green (low risk). In light of this, the ICO considered that the data processing by the MPS was excessive and lacking in differentiation.
It is interesting to consider whether the enforcement notice shows a change of focus of the ICO's regulatory action. If infringements of the fairness and transparency principles of data protection law are going to be priorities for the ICO, then many data controllers may need to reassess their own practices. Above all, this might indicate the importance of adopting a "data protection by design" approach – ensuring that an assessment of the impact of processing on the rights and freedoms of data subjects is undertaken at an early stage of policy development. Although data protection by design, and – more broadly – privacy by design, have been established concepts for some years, they have now been given a statutory underpinning in Article 25 of the GDPR (with the need, in certain circumstances, for data protection impact assessments appearing in Article 35).
Failure to carry out these requirements under GDPR can lead to significant costs and reputational issues for businesses and organisations further down the line. Much media focus has, perhaps understandably, been on the huge monetary penalty notices available to the ICO under GDPR. However, it should not be overlooked that the ICO has various other wide-ranging powers including the power to order data controllers to stop, or make major changes to, the systems they have in place. As the MPS have discovered, the exercise of those powers can potentially be just as costly as monetary penalties.