ICO reprimands police force over coding glitch that misplaced sensitive files

The Information Commissioner's Office has issued a reprimand to the Metropolitan Police Service under the Data Protection Act 2018 following issues identified around its uploading, amending and deletion of various criminal intelligence files relating to Organised Crime Groups (OCG).

The ICO issued the reprimand under Section 38(4) of Part 3 of the DPA 2018, which states: "all reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes".

The breach occurred after a coding issue on the Police National Database (PND) resulted in a small set of test data being inadvertently introduced to the live system.

This caused some files to be rejected, "an issue that went unnoticed by the MPS for a considerable amount of time," the ICO said.

Following this, a second incident was discovered whereby sensitive files that had already been loaded onto the PND were not being updated correctly, again going unnoticed by MPS.

Once these issues had been resolved, the MPS then discovered that OCG records had remained on the system when they should have been deleted.

Despite no records being lost, the incidents did lead to information not being available and not correctly updated or deleted from the database. This consequently resulted in the ICO taking action and issuing a reprimand to the MPS.

As a result of the findings, the ICO recommended that the MPS review how its codebase is managed and look at better protecting deployment code branches, ensuring code reviews take place before deployment and training staff members in these practices.

It also recommended that the police force should assess and update code branches to ensure further protection and to prevent code from being inadvertently added to live systems.

In addition, the ICO recommended that the MPS better document how code is to be tested, reviewed and deployed in order to establish best practices, "in particular, when this involves software that processes potentially sensitive data".

Commenting on the case, Stephen Eckersley, ICO Director of Investigations, said that dealing with any personal information "should be done so with the upmost care".

He added: "This is of particular importance to the MPS, which handles sensitive information directly relating to criminal activity.

"This reprimand reflects the ICO's wider powers, including issuing reprimands and sharing good practice, to encourage greater compliance and empower organisations to use people's data responsibly."

The ICO reported that it is satisfied that the MPS has complied with the recommendations of the reprimand.

A spokesperson for the Metropolitan Police Service said: "The MPS has fully supported the Information Commissioners Office in relation to this matter. Once aware of this IT fault, the MPS worked with partners to address the issue.

"There is no indication this issue has resulted in any operational impacts for the Met or other police forces. We have accepted the recommendations in full and are putting in place a number of steps to take forward learning from the incident."

Adam Carey