An investigation by the Information Commissioner’s Office (ICO) has found that the Metropolitan Police Service’s use of the Gangs Matrix led to multiple and serious breaches of data protection laws. The investigation into the Gangs Matrix, a database that records intelligence related to alleged gang members, began in October last year after concerns were raised by Amnesty International. The ICO found that, while there was a valid purpose for the database, the inconsistent way it was being used did not comply with data protection rules.
As a result, the ICO has now issued an Enforcement Notice compelling the Metropolitan Police Service to ensure it complies with data protection laws in future and has given the force six months to make these changes, which the Met has accepted and already started to implement.
James Dipple-Johnstone, deputy Information Commissioner of operations, said: “Protecting the public from violent crime is an important mission and we recognise the unique challenges the Metropolitan Police Service faces in tackling this. Our aim is not to prevent this vital work, nor are we saying that the use of a database in this context isn’t appropriate. However, we need to ensure that there are suitable policies and processes in place and that these are followed. Clear and rigorous oversight and governance is essential so the personal data of people on the database is protected and the community can have confidence that their information is being used in an appropriate way.”
The Metropolitan Police Service’s operating model governs the use of the matrix across the Metropolitan area. Each of the 32 London Boroughs operates its own Matrix. These are then compiled centrally to form a larger London-wide Gangs Matrix. The personal data of people recorded on the Gangs Matrix includes full names, dates of birth, home addresses and information on whether someone is a prolific firearms offender or a knife carrier.
What the investigation unearthed
The Gangs Matrix does not clearly distinguish between the approach to victims of gang-related crime and the perpetrators, leading to confusion among those using it.
The ICO’s investigation also found an operating model that was “unclear and inconsistently applied” across the London Boroughs, with some good practice in some areas, but poor practice elsewhere. Some Boroughs operated informal lists of people who had been removed from the Gangs Matrix, meaning that the Metropolitan Police Service continued to monitor people even when intelligence had shown that they were no longer active gang members.
There was also excessive processing of data as a result of ‘blanket sharing’ with third parties that failed to distinguish between those on the Gangs Matrix assessed as being high risk and those as low risk, with the potential for disproportionate action to be taken against people no longer posing a risk.
The investigation unveiled “serious breaches” of data protection laws with the potential to cause damage and distress to the disproportionate number of young, black men on the Matrix. There was also an absence of any Equality Impact Assessment that would enable the Metropolitan Police Service to show it had considered in this context the issues of discrimination or equality of opportunity.
In addition, there was an absence over several years of effective central governance, oversight or audit of data processed as part of the Gangs Matrix, resulting in the risk of damage or distress to those on it, as well as an absence of information sharing agreements governing the purpose and use of the data by those third parties and insufficient guidance about how the third parties should handle and use the data. This led to the increased potential for an inconsistent approach and harm to data subjects.
Steps to be taken
The Metropolitan Police Service must now take steps to ensure the Gangs Matrix complies with data protection laws. The measures involved include:
*Improving guidance to explain what constitutes a gang member and the intelligence required to demonstrate gang membership
*Ensuring people’s data on the Gangs Matrix is clearly identified in order to distinguish between victims of crime and actual or suspected offenders
*Erasing any informal lists of people who no longer meet the Gangs Matrix criteria
*Developing guidance in relation to the use of social media as a source of ‘verifiable intelligence’
*Ensuring that any Gangs Matrix information shared with partner agencies is done so securely and proportionately
*Conducting a Data Protection Impact Assessment of the Gangs Matrix
The Metropolitan Police Service already has an Action Plan underway and has stopped sharing personal data on the Gangs Matrix with third parties where there’s no individual sharing agreement in place. The force has committed to being more open about the database and is working with the ICO to complete a Data Protection Impact Assessment.
Dipple-Johnstone added: “I’m pleased that the Metropolitan Police Service has been co-operating with us and has committed to bringing the Gangs Matrix in line with data protection laws. We will continue to work with the Met. I believe that, by taking these steps and demonstrating that people’s data rights matter to them, the Metropolitan Police Service will be able to build increased trust among its communities.”
Due to the timing of the case it was dealt with under the provisions of the Data Protection Act 1998 rather than the General Data Protection Regulation (GDPR) and 2018 Act that replaced it in May this year.
The ICO will also be launching a second investigation that focuses on how partners of the police handle information, such as that provided through the Gangs Matrix, and is already investigating an alleged data breach at Newham Borough Council involving the Matrix.