The Information Commissioner’s Office (ICO) has reprimanded the London Mayor’s Office for Policing and Crime (Mopac) over a mistake that could have exposed the personal data of individuals who contacted it to complain about the Metropolitan Police Force. It affected approximately 400 people, all of whom have been informed of the potential data breaches. The error occurred through two contact forms on Mopac’s public website.
The incident occurred between November 11 and November 14, 2022, when a member of the Greater London Authority (GLA) attempted to grant four Mopac employees permission to access information that had already been submitted through the web forms. However, instead of granting access only to the employees, the information became publicly accessible.
The issue was not discovered until February 23, 2023, when a member of the public alerted Mopac. An investigation was launched, revealing that users had been able to view all information submitted through the forms, including names, addresses, and reasons for complaints.
The personal details of 394 complainants were exposed, but there is no evidence to suggest that anyone else accessed the information during the period it was vulnerable. Mopac has taken remedial steps, including providing additional staff training to prevent future incidents.
ICO director Anthony Luhman stated that it was an avoidable mistake that has the potential to undermine public confidence in the criminal justice system. He emphasized the need for public bodies to handle sensitive data with utmost care.
The ICO’s decision to issue a reprimand, rather than a financial penalty, is part of its ongoing policy introduced in 2022 to avoid burdening taxpayers with fines for data breaches caused by public sector organizations. However, this policy has faced criticism from legal and cyber security experts in cases where physical safety was jeopardized.
The trial period for this policy will end in June 2024, at which point the information commissioner will reassess its effectiveness and potentially rescind it if there hasn’t been sufficient improvement in public sector security and data protection.
Computer Weekly reached out to the London Mayor’s office for comment but had not received a response at the time of publication.