Cop shop rapped for ‘completely avoidable’ web form blunder

March 15, 2024 TH Author

The London Mayor’s Office for Policing and Crime is being rapped by regulators for untidy tech practices that made public the personal data of hundreds of people who filed complaints against the Metropolitan Police Service.

According to the Information Commissioner’s Office, MOPAC made a “completely avoidable” webform error that first took place 17 months ago, exposing information of close to 400 people that had submitted highly sensitive information.

MOPAC, which sets and oversees the strategic direction of the Met, had two forms on its website: one to lodge objections about how the Met had handled the complainant’s original grievance; and the second was to contact the help group Victims Commissioner for London.

The London.gov.uk site is run by the Greater London Authority, which itself is in place to keep checks on the Mayor. Between November 11-14 2022, an unnamed employee of the GLA had meant to permit four colleagues access to data shared via the web forms but instead made both forms open to anyone on the internet.

It wasn’t until February that MOPAC was informed of the blunder by a member of the public. Upon closer inspection, it realized that users could see “everything that had been submitted via web form, including name, address and reason for submitting compliant,” said the ICO.

Due to the subject matter of the information exposed, MOPAC contacted the 394 people involved to let them know their “data had been made available in error,” the regulator said. “However, there is no evidence that the data was ever accessed,” it added.

Why the reprimand? MOPAC “acted professionally” throughout the investigation to tell the Met Police complainants about the screw-up. And MOPAC has since taken “remedial steps” including “awareness and training” around “permission forms.”

Further recommendations around information governance and data protection training were uttered by the ICO to maintain compliance with the UK GDPR.

“This means highly personal and sensitive information could have been seen publicly,” said Anthony Lehman, director for the regulator. “This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.”

He added: “I am satisfied this was an honest mistake and I’m pleased by the remedial steps taken by MOPAC since the breach, which include providing additional staff training to prevent any repeated incidents.

“However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, particularly when it comes to crime.”

In a statement sent to The Register, a MOPAC spokesperson said:

“The Mayor’s Office for Policing and Crime (MOPAC) and the GLA accept the findings outlined by the Information Commissioner’s Office (ICO).

“Improved training and enhanced data security monitoring have been put in place to address the findings and provide effective mitigation for the security issue(s) which were identified.

“The GLA and MOPAC take the safety and security of www.london.gov.uk very seriously and sincerely regret any concern this issue may have caused.”

Cops’ fingerprints have been all over data gaffes in recent times, whether that be for mixing up two people’s data with serious consequences, or leaking data on their own officers, most notably – but not exclusively – in Northern Ireland last year.

Forces in Cumbria, Norfolk, and Suffolk did the same thing of accidentally exposing their own officers’ identities online too, but unlike Northern Ireland, those English counties don’t have the same level of sectarian tensions as are present across the Irish Sea. Both serving and recently retired officers in the region say they face continuing threat from paramilitaries, making the accidental publication in August 2023 of surnames and initials of serving officers and civilian staff members, plus a listing of officers’ rank or grade, details on their location, and the department in which they work, that much more egregious. ®