ICO says Metropolitan Police breached data protection laws with Gangs Matrix
The Matrix stores information of alleged gang members and victims which is shared with public bodies
In a year-long investigation carried out by the ICO, the Metropolitan Police Service (MPS) has been found to have seriously breached data protection laws in its conduct when sharing information with public bodies such as local councils and housing associations.
The 27-page report finds that the Gangs Matrix, a police database used to track individuals with gang associations sometimes doesn't distinguish individuals between offenders and victims. The Matrix also holds informal lists containing personal information belonging to people who no longer meet the criteria to be placed in the Matrix.
The Matrix also keeps informal lists of people who no longer meet the criteria to be placed on the list. The report also determines the Matrix to be too vague in regards to its reasoning behind sharing data with public bodies and determined that a review is needed around how the information it holds is shared. It's also stated that the public bodies receiving the information aren't always aware of how to interpret the data correctly.
The MPS has breached many of the eight data protection principles (DPPs). Principle 5 for retaining personal data for longer than necessary; evidence suggests London boroughs also keep this information longer than necessary. Principle 3 was broken because the large majority of those in the Matrix are considered 'low risk' and therefore their data is being processed in excess. Principle 1 relating to lawful and fair distribution of data, Principle 7 relating to secure storage of data and Principle 4 relating to data accuracy have all been broken, breaching the Data Protection Act.
"Data sharing between the police and other public bodies is necessary, but in this case and all cases, that must be done within the law," said Elizabeth Denham, UK Information Commissioner in a blog post. "My investigation revealed serious breaches of data protection laws with the potential to cause damage and distress to the disproportionate number of young, black men on the Matrix.
"Ignoring people's fundamental data rights erodes trust and confidence, which risks alienating the communities the Met serves. Building trust with communities to tackle gang crime comes from people knowing that engaging with the police will not have adverse consequences. Knowing that their personal information will not be shared unnecessarily, knowing that their chances of getting housing or a job will not be damaged, and knowing that they have won't be discriminated against, simply because they've included in the Matrix."
The MPS responded: "As well as addressing the concerns within the ICO report, we are also taking forward additional work including the introduction of a public facing website to explain the legal framework for the Gangs Matrix and further information to improve public confidence and transparency. We have a constructive relationship with the ICO and will continue to work with them as we go forward."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
What is a data protection officer? General Data Protection Regulation (GDPR) GDPR news: GDPR turns six months old
How the Matrix works
According to the report, the Matrix's model (Gang Operation Model) states that individuals should only be included in the Matrix if they meet the threshold as a gang nominal. This is further defined by the MPS as "someone who has been identified as being a member of a gang and this is corroborated by reliable intelligence from more than one source (e.g. police, partner agencies or community intelligence)."
The report also states that the model's intention is not to "target youths who join gangs, [the focus is] on those who commit criminality or are at risk through being associated with a gang".
The MPS uses the Matrix to take enforcement action against identified gang nominals across civil and criminal areas, adopting the 'Al Capone Approach' which recognises that prosecution for specific gang-related offences is not possible, so a general targeting of gang members is done. Specific enforcements and disruptions include increased likelihood of stop and search, TV licensing enforcement, parking enforcement, benefits sanctions, housing action (including eviction) and immigration enforcement.
A former housing relocation officer told Amnesty International that the police sometimes resorted to targeting a young person and their family to put pressure on them because it couldn't get evidence to prove they were offending.
"I have seen police going after parents or families and to try and get prosecutions for things like not having a TV licence. Generally, this would not be high-level policing priority but it's used as a tool to put pressure on the young person that is their actual target but they don't have intelligence or evidence to pursue it," said the officer.
It isn't clear whether those who remain on the Matrix on an informal list, as individuals who no longer meet the criteria, are affected by the aforementioned enforcements/disruptions. IT Pro approached MPS which declined to comment further on this point specifically. It would be a catastrophic failure for MPS if this was the case, especially considering the Matrix has been accused of being discriminatory towards ethnic minorities.
Both the ICO report and Amnesty International's identify the demographics of the Matrix as an issue. 87% of all individuals included are from black, Asian and minority ethnic (BAME) backgrounds, 78% of the total list are black people.
What's next?
The ICO has issued the MPS with an extensive list of actions it must complete to rectify its unlawful conduct in running the Matrix.
As stated in the ICO's enforcement notice, MPS must conduct a data impact assessment on the Gangs Matrix, something that has never been done since its inception in 2012. It must also erase any informal lists containing information on individuals who no longer meet the gang nominal criteria and remaining data must be encrypted, again something that shockingly wasn't in place already.
The MPS must comply with the data protection laws within six months, said the IC's enforcement notice.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.