ICO reprimands London Mayor’s Office for Policing and Crime for complaint web form error

0

The London Mayor’s Office for Policing and Crime has today been reprimanded by the Information Commissioner’s Office (ICO) for a web glitch that potentially revealed the personal information of people who were complaining about the Metropolitan Police Service.

The London Mayor’s Office for Policing and Crime (MOPAC), which is responsible for oversight of the Met, had two forms available on its website – one to contact the Victims Commissioner for London and another to raise a complaint about how the Met had handled their original complaint.

The incident occurred due to an error by Greater London Authority (GLA), which runs the London.gov.uk website, including MOPAC’s pages and webforms. Between 11-14 November 2022, a member of GLA intended to give four members of staff at MOPAC permission to access information shared through the web forms. Instead, they accidentally made access to the two web forms public.

On the 23 February 2023 MOPAC were made aware of a potential incident by a member of the public. Upon further investigation, MOPAC discovered that it was possible for users to see everything that had been submitted via the form, including name, address and reason for submitting complaint.

Due to the nature of the personal information that was made publicly accessible on the forms, MOPAC later notified 394 people that their data had been made available in error. However, there is no evidence that the data was ever accessed.

Anthony Luhman, Director at the ICO said:

“People used these forms for two reasons – to complain about the Metropolitan Police, or to contact the Victims Commissioner for London about the way they had been treated. This means highly personal and sensitive information could have been seen publicly. This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.

“I am satisfied this was an honest mistake and I’m pleased by the remedial steps taken by MOPAC since the breach, which include providing additional staff training to prevent any repeated incidents.

“However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, particularly when it comes to crime.”