London council fined £140k for data breach of alleged gang members data
The Information Commissioner’s Office fined the London Borough of Newham £145,000 for disclosing personal data related to over 200 alleged gang members.
Although the ICO stressed that “it is not possible to say whether there was a causal connection between any individual incidents of violence and the data breach”, the data disclosed by the council ended up in the hands of rival gangs, and some people whose information was leaked suffered violent attacks.
The data breach took place in January 2017, when a member of staff at Newham Council emailed 44 people with an unredacted version of the Gangs Matrix database that had earlier been supplied to the authority by London’s Metropolitan Police Service.
The unredacted version included personal information related to 203 alleged gang members – including names, addresses, dates of birth, gang affiliations, and history with weapons.
The email was sent to Newham’s youth offending team, as well as to various external agencies, including a voluntary agency that works with the council to tackle gang crime.
The investigation found that later in 2017, rival gangs got hold of photos of the unredacted database shared by the council, reportedly obtained via Snapchat.
Newham Council also failed to report the incident to the ICO, and did not commence its own internal investigation until December 2017, which the regulator said was “a significant time after they became aware of the breach”.
“We recognise there is a national concern about violent gang crime and the importance of tackling it,” said deputy information commissioner James Dipple-Johnstone. “We also recognise the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely.
“Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.”
The council responded saying that no-one has yet established how the information - which it said was inadvertently shared by one of its employees - got into the public domain.
Due to the timing of the data breach, the fine has been issued under the previous legislation, the Data Protection Act 1998, and not the General Data Protection Regulation and 2018 Act that replaced it last year.