- Web form to complain about the Metropolitan Police Service accidentally revealed victims' data
- 394 people notified of potential personal data breaches
- Data breach “a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system” - ICO
The London Mayor’s Office has today been reprimanded by the Information Commissioner’s Office (ICO) for a web glitch that potentially revealed the personal information of people who were complaining about the Metropolitan Police Service.
The London Mayor's Office for Policing and Crime (MOPAC), which is responsible for oversight of the Met, had two forms available on its website - one to contact the Victims Commissioner for London and another to raise a complaint about how the Met had handled their original complaint.
The incident occurred due to an error by Greater London Authority (GLA), which runs the London.gov.uk website, including MOPAC's pages and webforms. Between 11-14 November 2022, a member of GLA intended to give four members of staff at MOPAC permission to access information shared through the web forms. Instead, they accidentally made access to the two web forms public.
On the 23 February 2023 MOPAC were made aware of a potential incident by a member of the public. Upon further investigation, MOPAC discovered that it was possible for users to see everything that had been submitted via the form, including name, address and reason for submitting complaint.
Due to the nature of the personal information that was made publicly accessible on the forms, MOPAC later notified 394 people that their data had been made available in error. However, there is no evidence that the data was ever accessed.
“People used these forms for two reasons – to complain about the Metropolitan Police, or to contact the Victims Commissioner for London about the way they had been treated. This means highly personal and sensitive information could have been seen publicly. This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.
“I am satisfied this was an honest mistake and I’m pleased by the remedial steps taken by MOPAC since the breach, which include providing additional staff training to prevent any repeated incidents.
“However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, particularly when it comes to crime.”
- Anthony Luhman, Director at the ICO
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- In this case, MOPAC are the data controller and GLA is the processor of the data. MOPAC did not ensure that GLA had suitable training or processes in place to process the data securely, as such the reprimand has been issued to MOPAC.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.