+44 (0)20 7404 0606
An "especially flagrant contravention"
An “especially flagrant contravention”, was the verdict of the Information Commissioner’s Office resulting in its decision to fine Newham Borough Council a total of £145,000 for its breach of the Data Protection Act 1998. This is a significant decision given the unusual circumstances of the case, as the breaches in question may have resulted in individuals whose data was compromised coming to actual physical harm. Accordingly, this case serves as a sobering warning to data controllers to ensure that, at the very least, they are complying with current legislation and have the requisite policies and procedures in place because, as emphasised by the Commissioner, “compliance with the law is the bare minimum”.
The Metropolitan Police Service (“MPS”) for Newham Borough maintains an intelligence database of actual and suspected members of gangs within the borough, known as the “Gangs Matrix”.
The Gangs Matrix contains the personal data of actual and suspected members of gangs, including: individuals’ names, dates of birth, ages, home addresses, nicknames (including any Gang names), their ethnicity, whether the individuals carry firearms or knives and police national computer IDs.
MPS also produced a redacted version of the Gangs Matrix which omitted particular information including: the data subject’s address, ethnicity, whether they carry firearms or knives and their police national computer ID.
One of the purposes of the database was for data to be shared with other relevant bodies, with the goal of preventing crime, providing support and attempting to deter gang related activity. To achieve this aim MPS shared its Gangs Matrix with Newham Borough Council.
In January 2017, MPS emailed both a redacted and un-redacted version of the Gangs Matrix to Newham. (The MPS was not a party to the ICO’s investigation). It was subsequently forwarded to 44 recipients within the Youth Offending Team and shared with multi-agency partners. Notably, the Youth Offending Team shared the entirety of the un-redacted databases with multi-agency partners (comprising the personal data of over 200 individuals) without removing the data of individuals who were no longer gang members, or were victims of gang crime.
In May 2017, a known gang member alerted his probation officer to the fact he had received a photo of a copy of the Gangs Matrix via social media. In September 2017, a known gang member of a rival gang similarly informed his probation officer he had received photographs of the Gangs Matrix. It was established these were un-redacted copies of the Gangs Matrix.
Following these revelations, the Commissioner noted that a number of violent gang related incidents had subsequently occurred. These incidents involved individuals whose personal data was contained in the photographed pages and included the murder of a gang member named ‘Chris’ in September 2017.
In December 2017 Newham began an investigation into the matter.
The Legal Framework
Clearly, as the incident occurred in 2017, the law applied by the ICO was the Data Protection Act 1998, not the 2018 Act. However, in view of the extensive similarities between the two acts it remains useful to examine the legal principles.
Specifically in play was the seventh data protection principle which required Newham, as data controller, to ensure “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Section 55A(1) of the DPA gave the ICO the power to levy a fine of up to £500,000 if there had been a serious contravention of the data protection principles. For this to occur, the breach must have been deliberate or Newham must have known or ought to have known there was a risk of contravention and that the contravention would be of a kind likely to cause substantial damage or distress, and that Newham had failed to take reasonable steps to prevent it.
The ICO held that Newham had breached the seventh data principle in several ways:
- by distributing the un-redacted Gangs Matrix when only the redacted version would have been necessary and would have “significantly reduced the likelihood of sensitive personal data being disclosed in error and the risk of locating and harming the individuals included”;
- by failing to have in place any information sharing agreements, or any policy or guidance in relation to the sharing of the Gangs Matrix;
- by failing to take a formal decision in respect of its data sharing; and
- by failing to take steps to exercise any control over the personal data it distributed.
These contraventions were clearly likely to cause substantial damage or distress as the Gangs Matrix could end up in the hands of third parties, including criminal gangs, which could result in the risk of actual harm, not only to those whose data was compromised but to anyone living at the same address. Whilst the Commissioner did not establish a specific link between the data breach and the incidents of violence which later occurred in 2017, she noted that it was indicative of the type of harm which could occur.
Unsurprisingly, the Commissioner determined a fine was necessary. There were particular aggravating circumstances being that “a real risk of the loss of control over the un-redacted database would result in physical harm, including death of the data subjects” as well as certain administrative failures of Newham to adequately investigate the incident. A fine of £145,000 was deemed to be adequate and proportionate.
This case is unusual given the nature and extent of harm which could result from a failure to adequately protect personal data. The Commissioner specifically highlighted the dissimilarities between this case and previous cases before it which were more likely to involve purely economic harm.
It emphasises that everyone’s personal data is worthy of protection. Indeed, the fact that the personal data was related to gang members should have prompted Newham to process it under particularly stringent controls given the risk of death or actual harm if the data were to be compromised.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.