City Hall policing watchdog slammed over data breach

Data breach described as “completely avoidable error that has potential to jeopardise public confidence in the criminal justice system”, reports Noah Vickers, Local Democracy Reporter

Sadiq Khan (credit LDRS/Noah Vickers)
Sadiq Khan (credit LDRS/Noah Vickers)

Sadiq Khan’s policing watchdog has been reprimanded by the Information Commissioner’s Office (ICO) for a data breach which potentially revealed the personal details of almost 400 people.

The Mayor’s Office for Policing and Crime (Mopac) – which oversees the Met’s work – was told by the ICO on Thursday (14th) that the breach was “a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system”.

But the ICO also noted that it was “an honest mistake” and said it was pleased with “remedial steps” taken by Mopac since the incident.

The breach occurred due to an error by Mopac’s parent body, the Greater London Authority (GLA), which runs the website, including Mopac’s pages and web forms.

The two web forms affected by the incident enable the public to complain about the Met, or to contact the victims commissioner for London about how they have been treated.

Between 11th and 14th November 2022, a GLA officer intended to give four Mopac staff members permission to access information shared through the web forms. Instead, they accidentally made access to the two web forms public.

Mopac was said to have been made aware of a potential incident on 23rd February 2023 by a member of the public. Upon further investigation, Mopac discovered that it was possible for users to see everything that had been submitted via the form, including name, address and reason for submitting a complaint.

The breach affected a total of 394 people, who were notified by Mopac that their data had been accidentally made available. However, the ICO noted that there is no evidence that the data was ever accessed.

This story is published by Enfield Dispatch, Enfield's free monthly newspaper and free news website. We are a not-for-profit publication, published by a small social enterprise. We have no rich backers and rely on the support of our readers. Donate or become a supporter.

It was reported in July last year that the employee responsible had not been sacked, with City Hall saying at the time that it preferred to follow a culture where staff were not afraid to flag errors and could learn from their mistakes.

ICO director Anthony Luhman said: “Highly personal and sensitive information could have been seen publicly [as a result of the breach]. This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.

“I am satisfied this was an honest mistake and I’m pleased by the remedial steps taken by Mopac since the breach, which include providing additional staff training to prevent any repeated incidents.

“However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, particularly when it comes to crime.”

A spokesperson for the mayor said: “Following this incident a full and thorough investigation was launched, supported by independent experts. Improved training and enhanced data security monitoring are now in place to ensure there is no repeat.

“The ICO investigation welcomes these steps and confirmed Mopac and the GLA acted quickly and professionally to minimise the impact of these breaches.

“While there is no evidence that any of this information was accessed by anyone with malicious intent or that it has been misused, City Hall has offered support to anyone who may have been impacted.”

A Mopac spokesperson said: “Mopac and the GLA accept the findings outlined by the ICO.

“The GLA and Mopac take the safety and security of very seriously and sincerely regret any concern this issue may have caused.”

No news is bad news 

Independent news outlets like ours – reporting for the community without rich backers – are under threat of closure, turning British towns into news deserts. 

The audiences they serve know less, understand less, and can do less. 

In celebration of Indie News Week, Public Interest News Foundation's Indie News Fund will match fund all donations, including new annual supporter subscriptions for the month of June.

If our coverage has helped you understand our community a little bit better, please consider supporting us with a monthly, yearly or one-off donation. 

Choose the news. Don’t lose the news.

Monthly direct debit 

Annual direct debit

£5 per month supporters get a digital copy of each month’s paper before anyone else, £10 per month supporters get a digital copy of each month’s paper before anyone else and a print copy posted to them each month. £50 annual supporters get a digital copy of each month's paper before anyone else.  

Donate now with Pay Pal

More information on supporting us monthly or yearly 

More Information about donations