ICO issues reprimand to London Mayor’s Office for Policing and Crime

MOPAC, which is responsible for oversight of the Metropolitan Police Service, had two forms available on its website: one to contact the Victims Commissioner for London and another to raise a complaint about how the Metropolitan Police Service had handled their original complaint.

The incident occurred due to an error by the Greater London Authority (GLA), which runs the London.gov.uk website (including MOPAC;s pages and web forms). Between 11-14 November 2022, a member of the GLA intended to give four members of staff at MOPAC permission to access information shared through the web forms. Instead, they accidentally made access to the two web forms public.

Potential incident

On 23 February last year, MOPAC was made aware of a potential incident by a member of the public. Upon further investigation, MOPAC discovered that it was possible for users to see everything that had been submitted via the form, including a given individual’s name, address and the reason for them submitting their complaint.

Due to the nature of the personal information that was made publicly accessible on the forms, MOPAC later notified no fewer than 394 individuals that their data had been made available in error. However, there’s no evidence that the data was ever accessed.

Completely avoidable error

Anthony Luhman, director at the ICO, commented: “People used these forms for two reasons: to complain about the Metropolitan Police Service or to contact the Victims Commissioner for London about the way they had been treated. This means highly personal and sensitive information could have been seen publicly. This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.”

Luhman concluded: “I’m satisfied this was an honest mistake and I’m pleased by the remedial steps taken by MOPAC since the breach, which include providing additional staff training to prevent any repeated incidents. However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, and particularly so when it comes to crime.”

Separately, the ICO has published new data protection fining guidance setting out how it decides to issue penalties and calculate fines. The guidance provides “greater transparency” for organisations about how the ICO goes about using its fining power.

Certainty and clarity

Tim Capel, the ICO’s director of legal services, said: “We believe the guidance will provide certainty and clarity for organisations. It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the UK General Data Protection Regulation or the Data Protection Act 2018.”

Publication of the guidance follows a consultation last year. The new guidance replaces the sections about penalty notices in the ICO’s Regulatory Action Policy published in November 2018.

Among other things, the guidance explains:

*the legal framework that gives the ICO the power to impose fines, helping people to more easily navigate the complexity of the legislation

*how the ICO will approach key questions, such as identifying the wider ‘undertaking’ or economic entity of which the controller or processor forms part

*the methodology that the ICO will use to calculate the appropriate amount of the fine