UK information watchdog: Gangs Matrix potentially breaks data protection law

Occurred: November 2018

The UK Information Commissioner's Office (ICO) found that the Metropolitan Police Service's (MPS) Gangs Violence Matrix violated UK data privacy law in multiple ways.

An enforcement notice issued by the ICO ruled that the MPS had failed to process personal data fairly or lawfully, with excessive and unnecessary sharing of unredacted data across various public and private bodies, and processed personal data excessively in relation to its stated purpose, with 64 percent of individuals on the matrix assessed as low or zero risk of gang activity.

The Gangs Matrix also processed inaccurate data, including incorrectly presuming victims of gang-related crime to have gang associations, retained and processed personal data longer than necessary, keeping information on informal lists even after individuals were removed from the matrix, according to the ICO.

The MPS also failed to take appropriate measures against unlawful processing or accidental loss of personal data, with unencrypted data often transferred in unsecured ways. 

The notice required the MPS to take action to conduct a data protection impact assessment on the Gangs Matrix, implement a clear labeling system to distinguish between victims and suspected offenders, develop a retention schedule for removing data subjects from the Matrix, and erase informal lists containing personal data of individuals no longer meeting retention criteria, amongst other things.

Operator: Metropolitan Police Service (MPS)
Developer: Metropolitan Police Service (MPS)
Country: UK
Sector: Govt - police
Purpose: Predict gang violence risk
Technology: Ranking algorithm
Issue: Accuracy/reliability; Privacy; Security
Transparency: Governance