The UK’s data protection regulator has reprimanded the country’s largest police service for failing to properly maintain records on organized crime groups (OGCs), resulting in inaccurate information being stored on a key database.
The Information Commissioner’s Office (ICO) said that London’s Metropolitan Police (MPS) infringed the Data Protection Act 2018, which states that “all reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.”
In fact, between April and July 2020 a coding issue on the Police National Database (PND) resulted in the introduction of test data to the live system, which in turn caused some legitimate files to be rejected. The Met failed to spot this “for a considerable amount of time,” the ICO said.
The Met also failed to notice a second incident when sensitive files that had already been loaded onto the PND were not being updated correctly. After resolving both incidents, the police force then discovered some OGC records still on the system that should have been deleted, the ICO explained.
Read more on the Metropolitan Police: ICO Issues Notices After Met Police Contravenes GDPR.
Although no records were lost, as they could still be accessed via the MPS systems, the fact that accurate info wasn’t always accessible via the PND could have caused “significant damage” to policing partners, the ICO argued.
“Law enforcement agencies may use PND to assess if a particular criminal or criminal group may be under the attention of a partner organization,” it said.
“That accurate and up-to-date records would not be available would deny a partner knowledge which could conceivably have compromised an investigation. It is, therefore of particular concern as to how this incident affected partner agencies and what damage may have been caused as a result of accurate information not being available on PND.”
The Met apparently didn’t inform other police forces about the snafu for more than six months. Although the PND has been operational since 2011, the force still described its system of checks as “immature.”
An automated system checking daily uploads to the huge database could have prevented this incident, the regulator said.
“Dealing with any personal information should be done so with the upmost care. This is of particular importance to the MPS, which handles sensitive information directly relating to criminal activity,” argued ICO director of investigations, Steve Eckersley.
“This reprimand reflects the ICO’s wider powers, including issuing reprimands and sharing good practice, to encourage greater compliance and empower organizations to use people’s data responsibly.”