16 Apr 2019

The Gangs Matrix data breach by Newham Council cost them a significant ICO fine and may have prompted a rise in local gang violence.

In early April 2019, the Information Commissioner’s Office (ICO) fined the London Borough of Newham £145,000 under the pre-GDPR Data Protection Act 1998. The fine related to the leak of a controversial police database known as the Gangs Matrix, which contained sensitive information on more than 200 actual and suspected gang members in the London area. The details included dates of birth, home addresses, gang associations and whether the individuals were known to carry knives or firearms.

Sensitive data shared

The police shared the Gangs Matrix with Newham Council, with whom they had been working in partnership to tackle gang violence. It’s understood a Newham Council employee shared the document with 44 recipients, including external voluntary agencies.

By significantly widening the circle of knowledge of the Gangs Matrix, it was almost inevitable that the database would become public. Within months, photos of the Gang Matrix were being shared on social networking app Snapchat.

Ensuing gang violence

In the months following the leak of the Gangs Matrix, Newham suffered serious gang violence, with some of the victims having been featured in the database. Although the ICO did not establish a causal link between specific incidents of violence and the leak, it is clear the highly sensitive information became a significant risk when it reached rival gang members.

ICO decision

The ICO found there had been serious contraventions of the data protection principles under the DPA 1998. Newham Council did not have any specific sharing agreements, policies, or guidance in place, to determine how its own staff and partner organisations should handle and use the Gangs Matrix securely.

They also failed to report the data breach to the ICO, and only launched an internal investigation months after becoming aware of the breach.

Lessons to be learned

This case is an important reminder for organisations that handle and share sensitive information. Organisations must have suitable processes, training and governance to meet their obligations under data protection legislation.

When sharing personal data, there should be appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk. In this case, the Gangs Matrix data posed a significantly high risk – one that was potentially demonstrated by the violence that followed the leak.

Organisations also need to consider whether it’s actually necessary to share data. Newham Council did not require all of the information on the database to work in partnership with the police. If only the police had provided a redacted version (which the ICO understands did exist) to Newham Council, the impact caused to the victims following the data breach may have been considerably reduced.

For advice how to ensure you operate secure, compliant data policies, please talk to our privacy and data protection team.