Assurance Industry Compliance & Standards Law Enforcement Press Release Privacy UK (United Kingdom)

Metropolitan Police Service (MPS) was unable to ensure Police National Database (PND) accuracy to ICO

On Universal

The Information Commissioner’s Office (ICO) has issued a reprimand to the Metropolitan Police Service (MPS) following several issues identified around their uploading, amending and deleting of various criminal intelligence files relating to Organised Crime Groups (OCG).

The breach is reported to have happened between April-July 2020. It was first identified that a coding issue had occurred on the Police National Database (PND), resulting in a small set of test data being inadvertently introduced to the live system. This caused some files being rejected, an issue that went unnoticed by the MPS for a considerable amount of time.

Following this, a second incident was discovered whereby sensitive files that had already been loaded on to the PND were not being updated correctly, again going unnoticed by MPS.

Once these two issues had been resolved, the MPS then discovered that OCG records had remained on the system when they should have been deleted.

Despite no records being lost, the incidents did lead to information not being available and not correctly updated or deleted from the database. This consequently resulted in the ICO taking action and issuing a reprimand to the MPS.
“Dealing with any personal information should be done so with the upmost care. This is of particular importance to the MPS, which handles sensitive information directly relating to criminal activity.

“This reprimand reflects the ICO’s wider powers, including issuing reprimands and sharing good practice, to encourage greater compliance and empower organisations to use people’s data responsibly.” – Stephen Eckersley, ICO Director of Investigations

Recommendations
The Commissioner recommended that the MPS should take certain steps to ensure its compliance with data protection law, including:

Reviewing how its codebase is managed and looking at better protecting deployment code branches, ensuring code reviews take place before deployment, and training staff members in these practices. As well as, assessing and updating code branches to ensure further protection and to prevent code being inadvertently added to live systems.
Better documenting how code is to be tested, reviewed, and deployed in order to establish best practices, in particular, when this involves software that processes potentially sensitive data.
The ICO is satisfied that the MPS has complied with the recommendations of the reprimand.