London cops have broken data protection rules by using a controversial database that ranks people's likelihood of gang-related violence but fails to distinguish between victims and perps, and low and high-risk people.
The UK's data protection watchdog today reported there had been "multiple and serious" breaches in the use of the Gangs Violence Matrix, and issued an enforcement notice on the Metropolitan Police.
In a 27-page report (PDF), the Information Commissioner's Office reeled off a list of failures it said were likely to have caused at least some data subjects harm.
These included an absence of central governance, oversight and auditing; a lack of coherent guidance and policies on data retention, sharing and deletion; and a failure to implement basic data protection practices like encryption or information-sharing agreements.
The Gangs Violence Matrix was set up by the Metropolitan Police in 2012 with the aim of reducing gang-related crime in the capital. People are given a risk score with a traffic light "harm" rating (red, amber or green) based on police info on arrests, convictions and other intelligence, including social media use.
If they can't prosecute someone on the database for a specific gang-related crime, it allows cops to target them more generally, for instance through increased stop and search, or housing or immigration enforcement, which means sharing the information stored on the database – including names, dates of birth, addresses, ethnicity and police or partner intelligence information – with various private and public bodies.
This can have a significant impact on someone's life, and has invoked the ire of campaigners. The ICO's investigation was prompted by one such complaint, from Amnesty International.
It concluded that the use of the Gangs Violence Matrix breached a variety of data protection principles: processing of personal data was excessive; it wasn't fair or lawful; forces were retaining and processing personal data for longer than necessary; and they failed to take measures to prevent unlawful processing or accidental loss.
Moreover, the Met Police had apparently failed to carry out a data protection or privacy impact assessment, or to establish coherent and consistent guidance.
This resulted in the 32 London boroughs applying very different rules for each of their versions of the database. Some have "diametrically opposed" views on the accuracy and relevance of social media as intelligence.
'Unjustifiably excessive processing'
There are two major areas of concern identified in the report: one is that 88 per cent of the people in the database are from black and ethnic minorities, but there was no evidence the Met was heeding requirements set out in the Equality Act, with the commissioner noting there are "obvious potential issues of discrimination".
Another is the lack of differentiation between the groups of people listed on the database. In particular, those who are included because they have been victim of two or more gang-related crimes – this sees them classed as gang-associated – and for people who have a low risk ranking, with 64 per cent of the people on the database rated green.
Overall, this is "unjustifiably excessive and lacking in differentiation", the ICO said, while enforcement against all gang nominals regardless of risk rating "is excessive processing in the face of the very purpose of having a system of graduated risk".
This is compounded by the fact those who have a risk score of zero should, according to informal policy (no formal ones on retention exist), be removed from the database entirely.
But the ICO found that people with this score remained on both the database and "informal lists" that officers create on their personal drives, which lack policies or governance on data retention, access or accuracy.
Let that sink in: "Informal lists" that officers create on their personal drives.
"As a result, data subjects are never truly removed from the Gangs Matrix: their personal data continues to be processed as through they remain connected with gangs," the report said. This extends to it being shared with third parties, and to the policies of enforcement meted out.
Unencrypted?, unredacted, unsupervised
The ICO also slammed the data-sharing practices, which saw personal data handed over to both public and private organisations "in full, in unredacted form".
Such "blanket and undifferentiated sharing" of both personal data and sensitive personal data (data related to criminal convictions or allegations is given this elevated status) "goes beyond what is reasonably necessary to achieve the MPS's legitimate purposes in preventing and detecting crime and prosecuting offences".
Moreover, this data has been shared without information sharing agreements or with incomplete ones – which are a "basic necessity", the ICO pointed out – with these "manifest and manifold failures" not addressed by either borough or central management.
And of course there are fundamental issues with security: the ICO found that data was "routinely" transferred by officers "in a variety of unsecured ways" and that it wasn't encrypted. The watchdog is investigating a separate "significant" data breach at Newham Council.
Although the Gangs Matrix is on protected drives, officers at local levels circumvented this by saving the information to local drives – there were no measures to prevent this from happening – and officers who moved to a different beat didn't routinely have access rights to the main database revoked.
This failure to take technical and organisational measures against unauthorised or unlawful processing, and against accidental loss is another breach of data protection principles.
Met Police: 'We welcome the scrutiny'
The ICO said it had considered whether to require the Met to scrap the database entirely, but decided not to on the grounds that it was needed for law enforcement.
Instead, the enforcement notice sets out more than a dozen actions the Met has to take in order to ensure the Gangs Matrix is fit for purpose, and it has to report to the ICO on a monthly basis.
These include conducting a data protection impact assessment, a full review of data-sharing agreements, ensuring data subjects are clearly labelled, to erase any informal lists on people whose data shouldn't be retained, creating an access log, and developing overarching guidance for boroughs.
The Met said that it accepts the enforcement notice and welcomes the ICO's scrutiny and was "working hard" to address its failings.
"We have already started work to ensure that we improve our data handling and information sharing with partners, who are also involved in community safety work," said deputy assistant commissioner of Met operations Duncan Ball.
"As well as addressing the concerns within the ICO report, we are also taking forward additional work including the introduction of a public facing website to explain the legal framework for the Gangs Matrix and further information to improve public confidence and transparency." ®