The ICO recently issued an Enforcement Notice to the Metropolitan Police Service (MPS) in relation to their Gangs Matrix, after we found it breached data protection laws. You can read a blog about it. The ICO is also investigating how information about gangs is used by other public authorities.
This checklist has been created specifically for police forces who might be using, or considering using, a Gangs Matrix, or similar system. Please note that the checklist will help you to assess compliance with data protection law, and is a guide – not a guarantee of compliance.
☐ Has a Data Protection Impact Assessment been conducted?
☐ Has the Data Protection Officer been consulted?
☐ What’s the lawful basis for processing?
☐ Is there a clear, justifiable purpose for processing? Is it a tool to support the investigation of crime, or to prevent individuals from becoming perpetrators?
☐ Have consequences of processing been anticipated and have safeguards been applied?
☐ Is a risk score linked to individuals? What is the threshold for including people on the matrix? What are the purposes and consequences of the scoring? Is it being applied consistently?
☐ Are victims included in the matrix? What is the justification for this? If they are, then they should be clearly labelled in order to distinguish them from convicted or suspected offenders.
☐ Who is data being shared with? Can this be justified? Does all data need to be shared? Are written agreements in place? Is there guidance for all parties who will be accessing the data?
☐ Have appropriate security measures been applied, and communicated, recognising the particular nature of the risk, for example excessive disclosure? Encryption should be applied, paying particular attention to when data is in transit.
☐ Is a comprehensive log maintained of all those accessing the system?
☐ If social media is being accessed, there should be rules in relation to its use as a source of 'verifiable intelligence' in relation to personal data.