London Mayor’s Office reprimanded over data breach

The London Mayor’s Office for Policing and Crime (Mopac), which oversees London’s Metropolitan Police Force, has been reprimanded by the Information Commissioner’s Office (ICO) over an error that may have revealed the personal data of people who were contacting it to complain about the force.

The issue is said to have affected nearly 400 people, all of whom have now been notified of potential personal data breaches. It arose through two different contact forms on Mopac’s public-facing website.

“People used these forms for two reasons – to complain about the Metropolitan Police, or to contact the Victims Commissioner for London about the way they had been treated,” said ICO director Anthony Luhman.

“This means highly personal and sensitive information could have been seen publicly. This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.”

It said that between 11 and 14 November 2022, a member of the Greater London Authority (GLA) had attempted to give four Mopac staffers permission to access information that had already been submitted via the web forms. Unfortunately, the staffer instead made access to the web forms public.

It took a little over two months, until 23 February 2023, before a member of the public became aware of the issue and notified Mopac, which launched an investigation and subsequently found that users had been able to see everything submitted via the form, including names, addresses and their reason for making a complaint in the first place.

Data relating to a total of 394 complainants was exposed in this manner, however there is no evidence that anybody else accessed it at any stage during the period when it was vulnerable.

“I am satisfied this was an honest mistake and I’m pleased by the remedial steps taken by Mopac since the breach, which include providing additional staff training to prevent any repeated incidents,” said Luhman.

“However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, particularly when it comes to crime.”

As is now usual in such cases where a public sector body has caused or experienced a data breach, the ICO’s issue of a reprimand as opposed to a financial penalty is an ongoing policy that dates back to 2022, when it was introduced as a temporary, two-year discretionary measure, partly on the basis that to punish public sector organisations essentially forces the taxpayer to hand over even more money to cover the fine. 

The policy has, however, been criticised by legal and cyber security experts, notably in two cases, one involving Thames Valley Police, and the other the Ministry of Justice, over failings that placed the physical safety of witnesses and prisoners in jeopardy.

The trial period is set to expire in June 2024, at which point information commissioner John Edwards has previously said he will revisit it, and potentially rescind it if the desired improvements in public sector security and data protection have not happened.

The London Mayor’s office had not yet responded to a request for comment from Computer Weekly at the time of publication.