The Information Commissioner (Commissioner) has recently issued a reprimand to the Metropolitan Police Service (MPS) following a number of issues in relation to the uploading, amending, and deleting of various criminal intelligence files onto the Police National Database (PND).
One of the incidents involved sensitive files (in relation to organised crime groups) that had been loaded onto the PND and were not being updated correctly. This meant that the information held on the PND was inaccurate and incomplete. This, in turn, affected the data available to other law enforcement agencies who use the PND to assess if a particular criminal or criminal group may be under the attention of a partner organisation.
The Commissioner was particularly concerned that even though the PND had been operational since 2011, the MPS had not developed any automated system to ensure that the criminal record files being uploaded daily onto the PND were being correctly loaded (and updated where necessary).
Whilst no evidence was presented of any actual damage caused as a result of accurate records not being available, it cannot be categorically stated that no damage was caused as a result of the incident.
The Commissioner issued a reprimand to the MPS in respect of an infringement of Section 38(4) of Part 3 of the Data Protection Act 2018 (DPA 2018). Section 38(4) states:
“all reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.”
It cannot be said that the MPS had taken all reasonable steps in contravention of Section 38(4). As identified by the Commissioner, the MPS should have implemented an automated checking system to ensure that the data was being uploaded onto the PND correctly.
Whilst the MPS might not have foreseen the above incident occurring and therefore may not have considered an automated checking system necessary, given the sensitive nature of the data involved, they should have given consideration to the possibility of system failures and put in place procedures to deal with this.
Mitigating factors
The Commissioner within the reprimand did identify a number of mitigating factors. The Commissioner acknowledged that the MPS adds, amends, and deletes a large number of records on a daily basis. It was therefore not surprising that they had found it difficult to implement manual checking procedures.
It was also found that the MPS’ own criminal and intelligence records were not affected and that all information could still be accessed. The issue was that this was not filtering down to the systems of other law enforcement agencies.
Steps taken by the MPS
The MPS has already taken remedial steps to tackle the issues identified by the Commissioner. The MPS has introduced enhanced monitoring frameworks which have been implemented locally and via report functions. There will also be an ongoing oversight from the MPS Senior Responsible Officer as well as technical teams to ensure that any chance of a recurrence of the above incident is reduced.
The ICO Director of Investigators, Stephen Eckersley, made the following comments in relation to the above:
“Dealing with any personal information should be done so with the upmost care. This is of particular importance to the MPS, which handles sensitive information directly relating to criminal activity.
This reprimand reflects the ICO’s wider powers, including issuing reprimands and sharing good practice, to encourage greater compliance and empower organisations to use people’s data responsibly.”
How can we help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us