A gangs database used by London's Metropolitan Police Service violated UK data privacy law in multiple ways, according to the UK privacy watchdog.

An enforcement notice issued by the UK Information Commissioner's Office (ICO) ruled that the Metropolitan Police Service (MPS) had failed to process personal data fairly or lawfully using its Gangs Violence Matrix. 

It also found that MPS had engaged in excessive and unnecessary sharing of unredacted data across various public and private bodies, and processed personal data excessively in relation to its stated purpose, with 64 percent of individuals on the matrix assessed as low or zero risk of gang activity.

The Gangs Violence Matrix also processed inaccurate data, including incorrectly presuming victims of gang-related crime to have gang associations, retained and processed personal data longer than necessary, keeping information on informal lists even after individuals were removed from the matrix, according to the ICO.

The MPS also failed to take appropriate measures against unlawful processing or accidental loss of personal data, with unencrypted data often transferred in unsecured ways. 

The notice required the MPS to take action to conduct a data protection impact assessment on the Gangs Matrix, implement a clear labeling system to distinguish between victims and suspected offenders, develop a retention schedule for removing data subjects from the Matrix, and erase informal lists containing personal data of individuals no longer meeting retention criteria, amongst other things.