back to article Blundering London council emails unredacted version of notorious Gangs Matrix to 44 people. Data ends up on Snapchat

Newham Council has been fined £145,000 after an employee sent out a mass email containing an unredacted version of the police database that ranks people's likelihood of gang-related violence. According to the UK's data protection watchdog, some 203 individuals' personal data was shared with 44 people, and screenshots of the …

Page:

  1. Doctor Syntax Silver badge

    It's difficult to know what to do when confronted with incompetence of this nature. It's not just the initial breach that's the problem. It's also the attitude that the council decided they could deal with it as an internal matter. Either they didn't know about the GDPR provisions about reporting or simply decided they were too important for that. I'd like to think there was a mechanism for placing them under some sort of adult supervision but where would one find suitable adults? Certainly not in central government.

    1. Doctor Syntax Silver badge

      One possible solution occurs to me. A couple of decades ago I had a gig working with material which had similar sensitivity. I and everyone else had to have clearance to S/C. Shouldn't council staff with this exposure also need clearance?

      If anything the need should be greater than in my gig as the whole of the database is going to be local to the area from which council staff are likely to be recruited. Without clearance there's an unacceptable probability that a data subject might be known or even related to one of the staff.

      A failure like this should then result in the entire command chain losing their clearance and having to be redeployed within the council if they were even able to retain their jobs. This would result in greater awareness of all those involved about their responsibilities and what actions would be permissible.

  2. andy gibson

    How did the gangs get the information?

    From what I can see in the article, data went out, but to relevant responsible people tackling gang problems.

    So how did it end up in the hands of rival gangs on Snapchat?

    Yes, the council employee is wrong for sending the data in the first place. But isn't one of the recipients guilty of re-sharing here?

    1. Chris G

      Re: How did the gangs get the information?

      Once a document gets into a council office, the world, his missus, snot nosed kids and his dog have access, council clerks are locals and are as likely to know some of the 'naughty' boys as anyone else. I have also seen desk tops left on all night to save firing up in the morning so the cleaners or anyone else in there at night could have access.

      The best security in a local council is when there is a meeting in the chambers, nobody gets to know what is discussed there.

  3. Anonymous Coward
    Anonymous Coward

    Newham Council haven't been fined £145k, Newham council rate payers have been fined £145k through no fault of their own. This is not holding those responsible to account and punishing them appropriately.

  4. Anonymous Coward
    Anonymous Coward

    Hopefully a few of the gangs will now dispose of their enemies

    See the leak as an aid to garbage disposal, and a public service

    1. Anonymous Coward
      Anonymous Coward

      Re: Hopefully a few of the gangs will now dispose of their enemies

      It rarely works as you would like - key people are removed and then the two gangs become one larger, more powerful unit as they tend to control a larger area for their favored trades.

      1. Korev Silver badge
        Coat

        Re: Hopefully a few of the gangs will now dispose of their enemies

        It almost sounds like the way corporate mergers and acquisitions happen; or Murders and Executions as Patrick Bateman would say...

      2. Alan Brown Silver badge

        Re: Hopefully a few of the gangs will now dispose of their enemies

        "key people are removed and then the two gangs become one larger, more powerful unit"

        There _are_ ways to take the wind out of gangs. The prime reason they exist with the power and danger they do isn't "cred", it's _money_ - specifically the insane profitability associated with drugs(*) and trading in stolen goods to pay for them.

        (*) A medically pure knockout dose of heroin or cocaine is less than a pound. It's a hell of a lot more on the street and cut with "godknowswhat". Every pence of the difference is why you have gang wars.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hopefully a few of the gangs will now dispose of their enemies

      Might be worth remembering that the "enemies" of these gangs - as seen by the gangs - just might not actually be members of other gangs. And even if they are, their murder, as you are apparently "hopeful" of, might be disproportionate. And even then, more murder - even of supposedly worthless gang members - is unlikely to make a positive contribution to the wider public interest. Especially if the "winners" of such a gang war are the most ruthless, violent, and best armed of the lot.

  5. Anonymous Coward
    Anonymous Coward

    The council probably will say that lessons have been learnt or something like that.

    1. Anonymous Coward
      Anonymous Coward

      Only to be forgotten a few weeks later so the less will be learnt again the next time it happens.

      :/

  6. zaax

    On of the problem is pay; if you pay peanuts you get monkeys

    1. Anonymous Coward
      Anonymous Coward

      Yes. But unfortunately increasing the pay doesn't solve the problem, as you already have the monkeys installed.

      You turn them into better paid monkeys.

      1. Ommerson

        Councils face a real problem when it comes to employing competent - and particularly experienced - IT staff and developers. There's a skills shortage industry-wide, and when you're one of the lower payers, and perceived to be neither competent, nor an exciting place to work, the result is never likely to be great.

        The government's clamp down on IR35 in the public sector has made this much, much worse as this is how the skills gap used be filled in many a council.

        Councillors rarely have any insight or experience here either. It's hard to imagine them coming to the conclusion that they need to employ more competent people and pay them more in these roles when they're simultaneously contending with year-on-year budget cuts.

        Under GDPR there is now individual responsibility and culpability for the data protection officer. Who on earth would do this job?`

  7. Anonymous Coward
    Anonymous Coward

    Weasel Words, Nothing Will Change

    Others on here are making the same point, but it bears being made until it's heard and acted on:

    "Newham Council has been fined £145,000" gives the distinct impression that guilty parties working for or elected to the council are in some way being penalised.

    They are not, though they should be.

    Until those responsible are punished in person, nothing will ever change.

    By responsible, I mean all of those formulating and enforcing inadequate security policy and those who make the individual screw-ups.

    Feel free to suggest cruel and unusual punishments here, we might as well enjoy the fantasy. I don't expect to see effective measures in my lifetime.

  8. adam payne

    However, in this case, a staffer within Newham shared both versions, having simply forwarded the email they received from the Met police with the January version of Newham Matrix.

    This person has since been retrained.

    Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe.

    Internal review found nothing, doesn't surprise me.

    Cue the usual statement, we take privacy seriously blah blah blah, lesson have been learnt blah blah blah.

    1. Alan Brown Silver badge

      "Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."

      In some countries, covering up like that results in a multiplier of the fine being applied - and the decision to coverup _IS_ criminal misfeasance.

      Of course getting the Met to accept a criminal complaint is impossible because then they'd have to admit culpability too.

  9. Reality_Cheque

    ICO gets 145k. Victims get nothing.

    We have seen breach after breach of privacy by phone companies, councils, and other organisations. The ICO gets richer, and the victims get nothing.

    In this particular case, I can live with it. A gang member doesn't deserve anything even if his privacy has been breached, but in almost every other case the victims deserve compensation yet receive none at all.

    If data is negligently shared then each victim should receive £20 as a MINIMUM as an apology. It's not much, but it will encourage companies to not keep too much data in the same place, don't you think?

    1. Snowy Silver badge
      Thumb Up

      Re: ICO gets 145k. Victims get nothing.

      Considering the fine was £145,000 for sharing 203 people's private information maybe £714+ might be a better figure if your going to compensate the victims?

      1. JassMan

        Re: ICO gets 145k. Victims get nothing. @Snowy

        Nice idea as a general rule but in this case most of the victims by definition are violent criminals. Paying them 700+ each would allow them to go out and buy better guns and knives or higher quality drugs to sell on at higher profit margins.

    2. Anonymous Coward
      Anonymous Coward

      Re: ICO gets 145k. Victims get nothing.

      "A gang member doesn't deserve anything even if his privacy has been breached"

      What? Some person, without any judicial process being followed other than a copper's 'through my judgement and experience' that a certain person is a 'gang member' spaffs their personal details to rival gang members, there's a murder of one of them, and they don't deserve any recompense if it turns out the council was responsible?

      Are you a complete idiot or something? Do you read the Daily Express? Is you brain broken in some way that excludes a sense of compassion?

  10. Jamie Jones Silver badge
    Facepalm

    Doh!

    At first I thought "why would they send this to a bunch of youth offenders.. redacted or not?"

    Then I realised that's probably not what "Youth Offending Team" actually means...

    1. JassMan

      Re: Doh!

      Yes. You forgot we live in a land where we have "Police and Crime" comissioners. I always thought criminals were pretty good at commisioning their own crimes without help from officials. A job title with conflict of interest built in!

  11. itbod

    Reminds me of a blog article from 2015 about the Sony hack

    https://veoci.com/blog/sony-hack Sony Hack Lesson - Sensitive Content, Get out of Email, FAST.

  12. Anonymous Coward
    Anonymous Coward

    Gov Workers /No Expertise required

    Unencrypted, and through email?

    We're talking about an excel sheet here not an actual DB...

    This is what you get when you hire Glorified Clerks instead of Data Personnel with IT/IM Training.

    1. Doctor Syntax Silver badge

      Re: Gov Workers /No Expertise required

      Glorified?

    2. Ommerson

      Re: Gov Workers /No Expertise required

      A reliable assumption in local government: Anybody without a professional qualification (e.g. borough solicitor, survey, planning officer) is incompetent. Those with a professional qualification may be too - particularly if that skill could be used elsewhere more profitably.

  13. Anonymous Coward
    Anonymous Coward

    I found something similar here in the US

    I found a insecure database of high-risk offenders while just casually surfing the web:

    https://www.congress.gov/members

  14. Anonymous Coward
    Anonymous Coward

    Now, if only someone could propose send the council CEO to prison for these offences

    In the same way as is being suggested for leaders of tech companies.

    1. MachDiamond Silver badge

      Re: Now, if only someone could propose send the council CEO to prison for these offences

      I think that the best you might get is dismissal and a ban from government employment for several years. For the really naughty, loss of pension standing.

      The Thieves Code won't allow passing laws with harsh penalties on politicians by another mob of politicians. It smacks too much of cannibalism and why would they pass laws that might put them in prison themselves at some point?

      1. Anonymous Coward
        Anonymous Coward

        Re: Now, if only someone could propose send the council CEO to prison for these offences

        Like lawyers and the police, they close ranks when one of their own is under attack.

  15. Anonymous Coward
    Anonymous Coward

    And the unsatisfactory outcome

    Is thanks to yet more <expletive deleted> incompetence by BRITISH politicians.

    You're welcome :(

  16. Anonymous IV
    Joke

    Grossly negligent

    If Newham Council were grossly negligent, surely they should have been fined £144k not £145k?

    (Asking for a gang member.)

    (Oops...)

  17. TheTick

    "Newham Council"

    Say no more friend. Say no more...

  18. Anonymous Coward
    Anonymous Coward

    Redaction lite

    More than once, I've been tasked to publish a "redacted" PDF document on the web.

    The authors had employed the "lite" version of redaction: black boxes over existing text.

    However, when printed or highlighted with the cursor, the entire text was exposed.

    Many people understand privacy, just not how to achieve it.

  19. gcarter

    Fine culture

    I understand that organisations / companies etc need to be held accountable for when they're are breaches like this one.

    Unfortunately nowadays, its becoming almost a cultural thing... fine the hell out of anything, everything and everyone!

    Look at all of the companies popping up to cash in on this "fine culture" PPI fines been the most notable.

  20. JSIM

    "people's likelihood of gang-related violence."

    What does this mean? Can anyone tell without being a mind reader?

    More steaming excrement hits El Reg's pages. A daily occurrence.

  21. earl grey
    Mushroom

    What i want to know

    Is who (and how many) may be on that list who aren't really members of any gang or criminal group and have just been slandered?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like