Sadiq Khan’s policing watchdog has been reprimanded by the Information Commissioner’s Office (ICO) for a data breach which potentially revealed the personal details of almost 400 people.
The Mayor’s Office for Policing and Crime (MOPAC) - which oversees the Met’s work - was told by the ICO on Thursday that the breach was “a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system”.
But the ICO also noted that it was “an honest mistake” and said it was pleased with “remedial steps” taken by MOPAC since the incident.
The breach occurred due to an error by MOPAC’s parent body, the Greater London Authority (GLA), which runs the London.gov.uk website, including MOPAC's pages and web forms.
The two web forms affected by the incident enable the public to complain about the Met, or to contact the Victims Commissioner for London about how they have been treated.
Between November 11 and 14 2022, a GLA officer intended to give four MOPAC staff members permission to access information shared through the web forms. Instead, they accidentally made access to the two web forms public.
MOPAC was said to have been made aware of a potential incident on February 23 2023 by a member of the public. Upon further investigation, MOPAC discovered that it was possible for users to see everything that had been submitted via the form, including name, address and reason for submitting a complaint.
The breach affected a total of 394 people, who were notified by MOPAC that their data had been accidentally made available. However, the ICO noted that there is no evidence that the data was ever accessed.
It was reported in July last year that the employee responsible had not been sacked, with City Hall saying at the time that it preferred to follow a culture where staff were not afraid to flag errors and could learn from their mistakes.
ICO director Anthony Luhman said: “Highly personal and sensitive information could have been seen publicly [as a result of the breach]. This was a completely avoidable error that has the potential to jeopardise public confidence in the criminal justice system.
“I am satisfied this was an honest mistake and I’m pleased by the remedial steps taken by MOPAC since the breach, which include providing additional staff training to prevent any repeated incidents.
“However, it is important that public bodies learn from this incident. The public should be able to trust that their sensitive data will be treated with the utmost care, particularly when it comes to crime.”
A spokesperson for the mayor said: “Following this incident a full and thorough investigation was launched, supported by independent experts. Improved training and enhanced data security monitoring are now in place to ensure there is no repeat.
“The ICO investigation welcomes these steps and confirmed MOPAC and the GLA acted quickly and professionally to minimise the impact of these breaches.
“While there is no evidence that any of this information was accessed by anyone with malicious intent or that it has been misused, City Hall has offered support to anyone who may have been impacted.”
A MOPAC spokesperson said: “MOPAC and the GLA accept the findings outlined by the ICO.
“The GLA and MOPAC take the safety and security of www.london.gov.uk very seriously and sincerely regret any concern this issue may have caused.”