1 DATA PROTECTION IMPACT ASSESSMENT (DPIA) Classification Official Suitable for Publication No Title DPIA relating to MPS Gang Violence Matrix (GVM) Purpose To cover privacy issues and mitigate risks arising from MPS Gang Violence Matrix Summary The document sets out the data privacy issues relating to the data held on the MPS Gang Violence Matrix and the sharing of this data with partner agencies. Author DCI Philip Mills, Band C Jon Mott Version 8 Creating Unit MO2 – Met Intelligence Date Created 08/10/2018 Last Review Date 01/07/2020 Review Date 01/01/2021 Handling Instructions Instructions relating to the secure handling of this document are contained in a separate grid at the end of the document (Appendix C). To maintain the secure handling of this document, the Handling Instructions MUST be read and complied with as part of your responsibilities in receiving this document.
Transcript
1
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
Classification Official
Suitable for Publication
No
Title DPIA relating to MPS Gang Violence Matrix (GVM)
Purpose To cover privacy issues and mitigate risks arising from MPS Gang Violence Matrix
Summary The document sets out the data privacy issues relating to the data held on the MPS Gang Violence Matrix and the sharing of this data with partner agencies.
Author DCI Philip Mills, Band C Jon Mott
Version 8
Creating Unit MO2 – Met Intelligence
Date Created 08/10/2018
Last Review Date 01/07/2020
Review Date 01/01/2021
Handling Instructions
Instructions relating to the secure handling of this document are contained in a separate grid at the end of the document (Appendix C). To maintain the secure handling of this document, the Handling Instructions MUST be read and complied with as part of your responsibilities in receiving this document.
3. Data Protection and 'Privacy Law' Assessment Page 9
4. Consultation Results Page 17
5. Balanced Risk Assessment Page 18
6. Implementation of DPIA Outcomes Responsibilities Page 19
7. Conclusion Page 20
8. Data Protection Impact Assessment Sign-off Page 21
Appendices
A Glossary Page 22
B Supporting Evidence of Consultation Page 23
C Document Handling Instructions Page 24
3
1. Privacy Impact Screening Questions
Yes No
Q.1 Systematic and extensive profiling or automated decision-making to make significant decisions about people.
Systematic monitoring is something that is targeted at broad categories of people rather than specific individuals. It is pre-arranged, organised or methodical, and is carried out as part of a strategy or general plan. Significant decisions may be those which affect entitlement to employment rights such as pay, pensions and allowances, deletion dates for cautions and other criminal records, decisions whether or not to investigate or treat someone as a suspect, or to contact them about their engagement with the police.
Q.2 Large-scale use of special category data or criminal offence data.
The meaning of large scale is not defined in the Act. Factors to consider are the number of individuals whose data will be processed, the variety of different types of data, the volume of data, the duration of the processing, and the geographical extent of the data.
Q.3 Systematically monitoring or profiling on a large scale, or in a public place.
This would include but is not limited to data captured from surveillance such as CCTV or facial recognition, and ticketing data from events or transport systems.
Q.4 Using new technology, or novel use of existing technologies.
This will include cases where technology is used in a way which will result in a materially different outcome from the current way of processing data. Consider whether the technology will result in more people being identified, more types of data being captured, data about more people being used, or a larger number of people having access to the data. This is not intended to capture cases simply when a software package is upgraded to a newer version, unless the upgrade will itself produce significantly different results, for example, more thorough evidence review tools.
Q.5 Processing biometric or genetic data.
This includes doing anything with DNA samples, DNA profiles and fingerprints.
Q.6 Combine, compare or match data from multiple sources.
This includes discussing individuals at multi-agency panels, as well as using databases and intelligence systems to collate information
C
h
C
h
4
If the answer to any of the above questions is 'yes' then a DPIA is required. Further advice regarding this screening can be obtained via the ISSU. These Privacy Impact Screening questions were completed by DCI Philip Mills and Band C Jon Mott on 9th October 2018 and it was deemed after completion, that a DPIA is required.
or wash data-sets against one another. It also includes processing following receipt of data from third parties.
Q.7 Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
This would not extend to individual targeted surveillance authorisations.
Q.8 Process personal data, which could result in a risk of physical harm in the event of a security breach.
Putting security measures in place does not obviate the need to take this risk into account. The risk should be considered in the context of a breach.
C
h
C
h
C
h
5
2. Introduction The Project The Gang Violence Matrix (GVM) is an intelligence tool used to identify and risk assess gang members across London as victims and suspects. Everyone on the GVM has to be a gang member based on two or more pieces of intelligence and once on the GVM are scored according to violence and weapons offences and intelligence as a victim and suspect. The GVM identifies the most violent gang members who need enforcement action against and gang members who have been repeat victims of violence and therefore need support to safeguard them from being further victims and to divert them away from gangs. The overarching aim of the Gang Violence Matrix is to reduce gang related violence, safeguard those exploited or used by gangs and prevent young lives being lost. The GVM measures the harm gang nominals pose by scoring individuals on the GVM for violence and weapons offences and intelligence. A single GVM has been introduced across London to score gang nominals so that there is equal assessment measures used to assess the risks they pose. Matrices are owned by local boroughs / Basic Command Units (BCUs) who will work with and share data with their partners to enable a multi-agency approach to tackling gangs in London. Strategic governance of the GVM is at Commander Level within Met Intelligence. The MPS Gang Violence Matrix has approximately 2500 individuals on as of April 2020. Some of the key benefits of the GVM are:
It identifies gang members in London and prioritises the current most violent gang subjects.
It identifies gang members who have been victims of violence and prioritises these to identify the gang members most at risk of being further victims of violence.
It allows comparisons to be made of individual gang subjects across the MPS.
It aids the prioritising of resource allocation, ownership of subjects and methods of intervention.
It highlights possible gaps in activity or intelligence on violent gang subjects. Subjects are added to the GVM when they meet the threshold of ‘Someone who has been identified as being a member of a gang and this is corroborated by reliable intelligence from more than one source (e.g. police, partner agencies or community intelligence).’ They will only feature on the GVM if they fit this definition. The definition of a gang used in the MPS is, A ‘gang’ is defined as a "…relatively durable, predominantly street-based group of young people who (1) see themselves (and are seen by others) as a discernible group, and (2) engage in a range of criminal activity and violence. They may also have any or all of the following features, (3) Identify with or lay claim over territory,(4) Have some form of identifying structure feature and (5) Are in conflict with other, similar gangs.
6
This definition is distinct from, and should not be confused with other criminal structures such as organised crime networks, which merit a different policing approach. Those on the periphery of gangs, associates of gang members, victims or exploited by gangs or siblings of gang members do not meet the definition and therefore should not be added to the GVM. Victims of gangs DO NOT go on the Matrix. The individual has to first meet the definition and then any individual meeting this will be added and once added is scored as a victim and suspect. Being victim of gangs whether this be violence or other should not be used as evidence of them being a gang member unless there intelligence to suggest they were targeted due to being in a gang. Victims on the Matrix are automatically scored from CRIS for any violence offences they have been victim of in the last three years. This includes ABH, GBH, Attempted Murder, robbery, sexual offences and rape. The Mayor’s Office of Policing and Crime (MOPAC) carried out in-depth analysis for their review of the GVM. The final report was published in December 2018. As part of this review MOPAC undertook the most detailed analysis of the GVM that had ever taken place. This included exploring the population of the GVM over a five year period to create a cohort of 7,000 to analyse the impact this cohort has on offending. Police National Computer (PNC) was used to identify how many sanctions each of the 7,000 individuals had been involved in. A sanction is identified as an offence which the individual has received a conviction, caution or warning. MOPAC explored the offending of this cohort in three key time periods, six months before inclusion on the GVM, the first six months of them being included on the GVM and finally the first six months following removal from the GVM. Chart 1a presents the proportions of sanctions in each period. Chart 1a
7
As can be seen in the above graph the cohort identified had an increasing number of sanctions leading up to their inclusion on the matrix, these is followed by a sharp reduction once on the GVM and even further reductions once removed. The same can be seen when looking solely at violence sanctions. This clearly illustrates some of the successes of the GVM in reducing offending for those involved in gangs. Chart 1b shows the same chart looking at victimisation of the 7,000 cohort. Chart 1b
Victimisation follows a similar pattern to offending, with sustained lower levels both during and crucially after removal from the Matrix. This suggests that the Matrix has an important role in reducing harm amongst those included in it, particularly young black males. The charts above clearly identify key operational successes of the GVM in reducing the harm gang members are involved in and the victimisation on these gang members. The GVM supports reducing gang related violence by taking enforcement action against the most violent gang members and seeking to divert and safeguard those who are victims of gang violence and/or most at risk of being drawn into gang violence. The MPS will work with community safety partners (CSP) and third party organisations to make sure individuals involved in gangs who need help or want assistance in exiting gangs will receive the support they need. This can include mentor schemes; help with education, employment, re-housing and many more. Local partnership meetings will take place at a borough level where gang nominals and others will be discussed to achieve the above. Partners will differ in each London borough / BCU but will include CSPs such as local authority, Youth Offending Service, National Probation Service, Community Rehabilitation Company, Health, Education and more. They may also include third party and charity organisations such as Safer London Foundation, London Gang Exit, St Giles, Divert,
8
Abianda and many more. Partners are selected based on being able to provide relevant information around individuals that can assist in positive interventions to move them away from gangs and criminality. Positive outcomes of the GVM include arrests and remand of violent gang members on the GVM and diverting gang members away from gang lifestyle and criminality. This will include providing them with opportunities around education, employment and training. A Data Sharing Agreement (DSA) has been developed and signed off for the central sharing of the GVM with partners. The Pan London DSA has been used as a template for the local sharing of the GVM. This has been provided to Croydon Council for their feedback, on behalf of London Councils. Feedback has been received and incorporated into the latest version. This has also been to London Heads of Community Safety to make local Community Safety leads aware. Local DSAs were sent out to BCUs on 10/12/2019 to be implemented and signed by local partners so sharing of the GVM can commence. Sharing of the GVM will be in a number of ways including verbally at meetings. Access to the GVM is only available to partners via MPS BOX, further details about BOX can be found below under bullet point 5. To gain access partners must first sign a user agreement form which is approved by local BCU SPOCs. As of April 2020 a number of boroughs have signed their DSAs and sharing is beginning to take place.
Datasets used in the GVM include MPS indices Crime Recording Information System (CRIS) and CRIMINT (MPS intelligence database). These are used to identify intelligence and offending for individuals to be added to the GVM and also to score around violence and weapons. CRIS is also used to identify where gang members have been victim of violence offences and scores them in the same way as for offenders. This enables the MPS to identify gang members who are repeat victims and therefore may need support from police and partners to prevent them being victim of any further violence. Appropriate intelligence sources that may be used for inclusion include:
MPS Crime Recording Information System (CRIS)
MPS Intelligence database CRIMINT
MPS Missing Person system MERLIN
Intelligence from other Police forces or ROCUs
Social Media
Partnership information or intelligence.
Prison Intelligence Once they meet this definition and are added to the GVM they are scored through scoring criteria around violence and weapons intelligence and offences as both a victim and an offender. Every individual on the GVM is given two separate scores, one as an offender and one as a victim. From these scores every individual is also graded as Red, Amber or Green (RAG rating) as an offender and a victim with scoring thresholds for each of the RAG categories. These scores are based on offences and intelligence relevant to the individual only. They are then ordered by score to identify the highest risk gang members in every London BCU
9
and in London as a whole. They are also scored as victims and prioritised around risk of being further victims of violence. The RAG rating denotes the level or risk (victim) and harm (offenders) they pose. The scoring on the GVM is automated and updated on a daily basis. The scoring criteria has specific timescales which results in subjects’ scores going up and down on a regular basis. Scores will increase as they are involved in violence/weapons offending or intelligence and decrease as time passes without any offending or intelligence. Matrices are viewed and worked on locally in BCUs on a daily basis. BCUs also review their GVM cohorts at least every quarter with a focus on zero scorers and green nominals. This is done to identify individuals who can be removed from the GVM. The specific timescales for scoring mentioned above will result in some individuals having previous violent arrests and / or convictions but still scoring zero. Subjects remain on the GVM until they meet any of the below when they are removed.
There is evidence they have exited gang lifestyle.
They have not come to police notice for a significant period (12 months)
They are engaging in a diversion program for a period of time (6 months) and haven’t come to police notice since that engagement started.
They are deceased or have been deported.
They have moved away from London and are no longer believed involved in gang criminality within the Metropolitan Police Area.
Since the inception of the GVM over 4000 individuals have been removed. Individuals are not formally made aware of their inclusion on the GVM. Individuals requesting this information will be considered for each individual case.
The GVM has been running since 2012 and the general methods used within the GVM are not new and have been running in the same format for several years. Following the MPS being issued an enforcement notice by the ICO in November 2018 several changes to the GVM have been made. The GVM is now located in MPS BOX, further details around this can be found below under bullet point 5. Following the ICO Enforcement Notice and other significant external interest the MPS are reviewing various aspects including the scoring system and RAG currently used and what technology can be used to enhance the GVM. Personal details included on the MPS Gang Violence Matrix are full names, date of births, home addresses, ethnic origin, gender, PNCIDs. These personal details are all recorded for operational reasons and to assist in enabling the MPS to carry out and update equality impact assessments and to comply with its public sector equality duty. These are obtained from a number of Police indices including Crime Recording Information System (CRIS), CRIMINT (MPS intelligence database) and Police National Computer (PNC). Offender and Victim RAG status on the GVM are calculated by looking at victims and perpetrator data (suspects and accused) from CRIS and intelligence data from CRIMINT.
10
Data was held internally in the MPS on a secure shared drive on the MPS computer system Aware. Access to this folder is restricted to officers and staff in the MPS who need access for a policing purpose. Officers leaving the MPS automatically have their account disabled and therefore won’t have access to the shared drive. Access to the GVM is not available to anyone outside of the MPS. Partner agencies will receive information from the GVM based on Data Sharing Agreements (DSA) at a local or Pan London level. The GVM itself will not be printed. The MPS uploaded the Gang Violence Matrix into the new MPS Box (digital based storage solution) on 01/04/2019. BOX provides audit history of who has accessed the GVM. It will also monitor when and if changes were made, place restrictions on printing and reading time limits. This solution will provide the GVM with a more secure level of encryption. The shared drive previously used is secure but BOX adds additional security and auditing capabilities which has led to the decision to move the GVM into BOX. To gain access to the GVM officers and staff are required to complete a user access form which needs to be authorised by a Superintendent or equivalent and complete data protection training package ‘Information and You’. Access is only provided once these have both been completed. An access log of those who have access is completed centrally to monitor user levels. By necessity officers and staff from a variety of boroughs will have access to the GVM. This will include officers and staff working in Local Policing (LP) at Basic Command Unit (BCU) level as well as officers and staff in central units including, Met Intelligence, Trident Gang Crime Command and the Homicide Command. Officers and staff in central units (Homicide, Trident, Met Intelligence) will receive access to the pan London GVM. Local officers will receive access to a Dashboard version of the GVM as well as the Pan London Matrix. A small number of officers / staff per BCU (maximum of five per BCU) will have editor access rights to their own GVM. This is to enable them to make changes which includes adding and removing of individuals. Pan London access is required for local officers due to individuals being placed on the GVM where they reside and not where they or their gang are criminally active. This results in a number of individuals being on one BCU GVM but being relevant to other BCU GVMs. This regularly occurs when individuals are re housed to other areas of London. Gangs in London are also very fluid and have rivals and affiliations with other gangs in different BCUs. Giving access to the pan London GVM allows local officers to have the full picture around gang members in their area and also gang members that may impact on their area due to these rivalries and affiliations. The MPS has its own policy on retention, review and disposal. The retention policy for the Gang Violence Matrix documents will be, in MPS BOX only the most recent GVM will be stored. The GVM is automatically populated daily and this will overwrite the previous version. GVMs for a further four years will be stored in a secure location where only a small number of key officers and staff in Met Intelligence, the owning OCU of the matrix, will then have access. GVMs archived will then be permanently deleted after four years. GVMs are retained for operational and academic research and equality assessment purposes. Having four years data allows the MPS to analyse the value and impact of the GVM. Without having historic data including personal data it will not be possible to conduct the analysis required. This will have no impact to data subjects due to older GVMs only being available to a small number of MPS or MPS approved analytical staff. They will not be accessed by any operational officers and no operational decisions will be made based on older versions.
11
Retention in terms of individuals being on the GVM itself relates to quarterly reviews by BCUs managing GVMs and being removed based on criteria outlined previously in this document. These reviews will be flagged up by central teams in Met Intelligence to local BCUs. This will also be checked during audit inspections. Individuals’ data will be on the GVM until they have been removed when they meet the criteria previously mentioned. Their data will then no longer appear on any GVM going forward. Their data will remain on the previous matrices within the retention periods set out above. Only those with an MPS aware account can access the GVM and only officers and staff with a policing need as per above are authorised access. An access log of all officers and staff who have access to the GVM is held. The GVM is held on a Microsoft Excel spreadsheet and an internet based tableau dashboard. The retention policy for the Gang Violence Matrix is set out above. GVMs will be manually deleted or archived outside of the relevant dates. An automated process will also be looked at so GVMs are automatically deleted or archived.
3. Data Protection and 'Privacy Law' Assessment
European Convention of Human Rights:
Article 8: Right to respect for private and family life
1. Everyone has the right to respect for their private and family life, their home and their correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The MPS is a public authority, therefore, is subject to a statutory duty under the Human
Rights Act (HRA) section 6(1) not to act inconsistently with a Convention right. The
relevant Convention right for the purposes of this processing is Article 8(1) of the
Convention.
Article 8(1) is a qualified right and does not prohibit lawful and proportionate law
enforcement activities which are necessary for the prevention or detection of crime. It is
12
for this reason that the MPS believes that the interference with the Article 8(1) rights can
be justified under Article 8(2). The purpose is the prevention and detection of crime. This
falls squarely within one of the permissible bases for interference in Article 8(2), which
refers specifically to the prevention of disorder or crime. For the interference to be
justified it would need to be “in accordance with the law” and “necessary in a democratic
society”, within the meaning of Article 8(2).
1. Does this project / initiative address a pressing social need? If so, outline it here:
The GVM addresses a pressing social need in terms of tackling rising violent crime in London. Violence is a key priority in London both for MOPAC and the MPS following an increase in knife and gun crime in the last two years. Gangs are a significant contributor to violence in London and their involvement in violence increases when looking at the most serious and harmful end of violence. The table below shows the gang proportion of specific violent crime types in the last three years. This table evidences the impact of gangs with a high percentage of firearm discharges being linked to gangs and shows Gang-related violence is significantly more likely to result in serious injury. The below proportions evidences the need for the MPS to tackle gangs to reduce violence in London. Therefore tackling gangs is a key strand in reducing violence in London.
Knife Injury under 25 (Non-DA) 1853 2138 1827 5818
Gang related 26% 21% 19% 22%
Analysis completed by MOPAC on the Gang Violence Matrix shows a number of positive measures. These include, sanctions of individuals (sanction is conviction, caution or warning shown on Police National Computer - PNC) on the GVM increases before being added, then see a sharp reduction once on the GVM and further reductions once removed. This trend can also be seen when looking at violence sanctions. This shows being on the GVM helps reduce overall and violent offending gang members are involved in. Average sanctions follow the same trend as above of reducing from before being on the GVM to once on the GVM and further reductions once removed. This is another
13
positive indicator of the GVM reducing sanctions and violent sanctions committed by gang members.
2. Are your actions/data sharing a proportionate response to the social need this project / initiative has identified?
We are proportionally looking at those who the MPS should be targeting based on information and intelligence received and the action will be appropriate to the risk the offender presents. This is a proportionate response in that persons are on the GVM based on crime and intelligence that they are members of a gang, and present either a risk of violence or being the victim of violence. The use of a scoring system to identify the risk that the individual presents and faces will enable officers to determine effectively appropriate measures in order to reduce that risk. The GVM policy details the scoring system. The consideration of appropriate tactics based on this risk will form part of further consultation into the use of the GVM. The sharing will be done within the data sharing agreements (DSA) that have been completed at borough / BCU Level.
Data Protection Act 2018
Principle 1 (Section 35)
(1) Processing of personal data for any of the Law enforcement purposes must be lawful and fair.
(2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either –
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
(3) In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
(4) The first case is where-
(a) the data subject has given consent to the processing for the law enforcement as mentioned in subsection (2)(a), and (b) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(5) The second case is where-
(a) the processing is strictly necessary for the law enforcement purpose,
(b) the processing meets at least one of he conditions in Schedule 8, and
(c) at the time when the processing is carried out, the controller has an appropriate policy document in place (see Section 42).
(8) In this section, “sensitive processing” means-
(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
14
(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c) the processing of data concerning health;
(d) the processing of data concerning an individual’s sex life or sexual orientation
The Sharing of police information must be linked; to a policing purpose. The Management of Police Information (MoPI) Code of Practice defines policing purpose as:
- Protecting life and property.
- Preserving order.
- Preventing the commission of offences.
- Bringing offenders to justice.
- Any duty or responsibility of the police arising from common or statute law
Data Protection Act 2018:
Where the processing, by its very nature, may not be considered as lawful and fair, the MPS relies on the following Sections of the Data Protection Act 2018 when processing this information:
Schedule 2, Part 1, Section 2(1)(a)(b)
2(1)”The listed GDPR provisions” and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of a tax or duty or an imposition of a similar nature,to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).
Schedule 2, Part 1, Section 2(2)(a)(b)
(2)Sub-paragraph (3) applies where—
(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and
(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.
(Statutory Partners are exempt from the Right of Access obligations, only where the policing information they hold, has been provided; to them by the MPS for the discharge of the Partners statutory functions).
15
The policing information is held; by the MPS for the prevention or detection of crime, or the apprehension or prosecution of offenders.
Schedule 2, Part 1, Section 2(3)(a)(b)(c)(d)
(3)Controller 2 is exempt from the obligations in the following provisions of the GDPR—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),
to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).
Schedule 1, Part 2 and Part 3 lists various conditions which, when fulfilled, allow for lawful processing of special categories of personal data and criminal convictions etc data.
Part 2 Substantial Public Interest Conditions
Statutory etc and government purposes 6(1)(2)
Administration of justice and parliamentary purposes Section 7(a)(b);
Preventing or detecting unlawful acts Section 10(1)(2)(3);
Safeguarding of children and of individuals at risk Section 18(1)(2)(3)(4).
Part 3 Additional Conditions Relating To Criminal Convictions Etc
(1)This section applies for the purposes of section 35(4) and (5) (which require a controller to have an appropriate policy document in place when carrying out sensitive processing in reliance on the consent of the data subject or, as the case may be, in reliance on a condition specified in Schedule 8).
Schedule 8, Part 3 lists conditions which are applicable for sensitive processing under Part 3 (Law Enforcement Processing)
16
sensitive processing” means—
(a)the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b)the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c)the processing of data concerning health;
(d)the processing of data concerning an individual’s sex life or sexual orientation.
Part 3 Conditions For Sensitive Processing Under Part 3
Safeguarding of children and of individuals at risk Section 4(1)(2)(3)(4);
Personal data already in the public domain Section 5;
Legal claims Section 6(a)(b)(c);
Judicial acts Section 7;
Archiving etc Section 9(a)(b)(c).
Utilisation of the GVM database provides officers with a valuable intelligence for tackling gang related violence and gang membership in London, and operates in furtherance of the core principles. The Sharing of police information must be linked to a policing purpose. The Management of Police Information (MoPI) Code of Practice defines policing purpose as:
a) Protecting life and property b) Preserving order c) Preventing and detecting offences d) Bringing offenders to justice e) Any duty or responsibility of the police arising from common or statue law
A record of the monitoring and issues identified will be used when undertaking and/or conducting an audit.
It is the view of the MPS that the requirement for this processing to be both fair and lawful is met through the pressing social need outlined in this DPIA (please refer to the Introduction and Section 1). The legal framework and existing body of guidance on which the MPS relies is provided by the following:
17
The Data Protection Act 2018 (including Compliance Policy and Guidance)
NPCC Authorised Professional Practice (APP)
NPCC (2005) Guidance on NIM, NIM Guidance and NIM Codes of Practice (2005)
APP Intelligence Management Guidance
2010 Guidance on the Management of Police Information
The APP Data Protection Manual of Guidance
MetSec Code
MPS Information Management Support Pages
1. How will you tell individuals about the use of their personal data?
The MPS has a mature Information Governance Strategy and Structure in place which incorporates the requirements of the MPS to be open and transparent around the nature in which (sensitive) personal and special category data are to be processed (where possible).
The MPS has a comprehensive Privacy Notice. This notice includes full details of how a subject may exercise their right of access to their personal data.
Individuals are not routinely notified that they are on the Gang Violence Matrix as this may impact on their behaviour and result in more offending and could impact on covert policing operations.
2. Are you content that the MPS privacy notices covers the intended processing? If the MPS Privacy Notice will not cover processing after seeking advice ISSU please describe in the box below the additional notice required with a link to it.
I have read the MPS Privacy Notice and I am content that it sufficiently covers the intended processing.
3. Describe below whether you are relying on consent to process personal data, and how this will be collected? If obtaining consent (see explanation below) would prejudice the purpose the data is collected, what legal basis you will be using? Note: Consent from data subjects, is not always relied upon as a legal basis to process data. This is because consent can be withdrawn by the data subject at any time. If consent is withdrawn, the MPS must delete the data and demonstrate another legal basis.
We are not relying on consent to process personal data.
18
Principle 2 (Section 36)
Personal data collected for the law enforcement purpose, on any occasion must be specified, explicit and legitimate, and must not be processed in a manner that is incompatible with the purpose for which it was collected.
The intended processing is in line with the purposes outlined above, those listed in the Privacy Notice and our notification with the Information Commissioner’s Office: Registration No: Z4888193.
1. Have you identified potential new purposes as the scope of the project expands? If the answer to this question is ‘yes’, then you must seek the advice of the ISSU.
No new purpose has currently been identified for the GVM, as part of this process. The purpose remains to reduce gang related violence and prevent lives being lost.
Principle 3 (Section 37)
Personal data shall be adequate, relevant and limited to the necessities of the purposes for which they are processed.
The MPS will not process exhaustive amounts of personal information on the loose premise that it may be useful now or in the future (excessive data collection is also a breach of the DPA 35(2)(b)). This approach would be highly time and resource intensive, as well as potentially costly.
If at any point, the data processed is found to be excessive to the purpose, then the processing may be ceased. As previously mentioned personal details included on the MPS Gang Violence Matrix are full names, date of births, home addresses, ethnic origin, gender and PNCIDs. These are all essential information that is needed to maintain the GVM. Other additional personal information will not be included on the GVM. Enforcement work undertaken against GVM nominals should be in line with their RAG status unless there is additional intelligence that identifies risk that needs a policing response. The GVM will be audited by MO5 - Covert Governance which is a specialist unit within the MPS who will look at a variety of aspects around the GVM including auditing who is using the GVM and why as well as local inspections to teams processing personal data.
1 Which personal data could you not use, without compromising the needs of the project?
There is no personal data that could not be used for the project. The personal data on the GVM is limited and is also essential to the needs of the GVM.
Principle 4 (Section 38)
Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and every reasonable step must be taken to
19
ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
The MPS is mindful of the potential damage and distress to the data subject, the organisation and to third parties if the data processed was inaccurate in anyway. To mitigate this, an ongoing examination of the accuracy and quality of the data must occur throughout the course of the processing. Gang Violence Matrices are worked on locally in BCUs on a daily basis. This includes keeping all personal information up to date.
1 If the MPS is procuring new software, does it allow the data to be amended / deleted when necessary? The answer to this question must always be yes. The system should also enable the ability to note that the accuracy of information has been challenged and why.
The Gang Violence Matrix has been moved to a more secure location called MPS BOX. BOX wasn’t procured solely for the GVM but is being used to process and store the GVM as it adds additional security to the shared drive. BOX allows data to be amended and deleted. BOX enables the MPS to audit who has accessed the GVM, when and state if a new version of the file has been saved (e.g. amendments were made). All 12 BCUs are allowed up to five editors to keep the number of officers and staff amending the GVM to a minimum. These editors are responsible for the accuracy of the data.
2 How is the MPS ensuring that personal data obtained from individuals or other organisations is accurate?
Any personal data received from individuals or other organisations will be cross checked with MPS police indices which include Crime Recording Information System (CRIS), CRIMINT (MPS intelligence database) and Police National Computer (PNC).
Principle 5 (Section 39)
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose for which it is processed.
The information will be retained in line with our Retention, Review and Deletion policy, document attached below:
records-manageme
nt---retention-review-and-disposal-rrd-tables.pdf
1 What retention periods are suitable for the personal data the MPS will be processing?
Gang Violence Matrices are only stored in an accessible location for the day until the next time a GVM is produced when previous copies are overwritten. As previously mentioned GVMs are retained for four years in a secure location, accessible only by designated officers and staff for academic research and equality assessment purposes. In relation to retention of those on the GVM, local BCUs will remove on a regular basis but will review their GVM cohorts at least every quarter.
20
2 Are you procuring software that will allow the MPS to delete information in line with the corporate retention policy? (The Answer to this Question must always be Yes. ) If you are using current MPS software then it might not be possible to delete see guidance.
It is the responsibility of the GVM manager and his team in MO2 - Met Intelligence to remove old versions of the GVM. Deletion takes place on a daily basis Monday to Friday. MO5 will also audit the deletion of old GVMs. Older versions are stored on the shared drive, with access limited as previously outlined. The shared drive is a networked drive and does not link to individuals hard drives of their device, therefore the files do not go in any recycle bin. Once they are deleted from the shared drive they are only held in our secure and protected IT back-up solution. These are held for a maximum of seven years in the disaster recovery system.
Principle 6 (Section 40)
1. Personal data shall be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.
2. Appropriate security includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Only MPS officers and staff have access to the Gang Violence Matrix which is stored securely on BOX. Officers leaving the MPS automatically have their account disabled and therefore won’t have access to the GVM on BOX. BOX provides audit history of who has accessed the GVM. It will also monitor when and if changes were made, place restrictions on printing and reading time limits. Access to the GVM is available to partners outside of the MPS if there is a signed Data Sharing Agreement in place and those wanting access have signed a user access form. The user access form sets out the rules of partners getting access. This includes they are not permitted to print the GVM, take pictures on their phones, pass the information to anyone else. Partners can only access a sub set of the GVM and can access a preview of the GVM on BOX. Preview access doesn’t allow partners to download the GVM into any other platform including Microsoft Excel.
To gain access to the GVM officers and staff are required to complete a user access form which needs to be authorised by a Superintendent or equivalent and complete data protection training package ‘Information and You’. The data protection training is checked against corporate lists of officers and staff who have completed this training. A certificate of completion can also be sent to MO2 – Met Intelligence by the officer or staff member requesting access to prove completion of this training. Officers and staff have to have a policing reason to access the GVM. Access is only provided once these have both been completed. An access log of those who have access is completed centrally to monitor user levels.
The MPS has software in place to protect its systems from external attack.
Safeguards
21
Safeguards: Archiving:
Personal and special category data shall be processed where the processing is necessary for archiving purposes in the public interest
The GVM is archived for academic research and equality assessment purposes.
Safeguards: sensitive processing: The processing of personal and special category data is reliant on the consent of the data subject and reliant on a DSA, or reliant on a condition specified in schedule 8.
Appropriate Information Sharing Agreements (ISA) exist. Data Sharing Agreements (DSA) are being implemented to replace the ISA as part of the legislation change under GDPR.
Miscellaneous Considerations
1. Complaint Handling
Complaints about the use of Personal Information in relation to this project should be handled by the MPS Data Protection Officer (DPO).
2. Freedom of Information Act 2000 (FoIA)
The MPS shall demonstrate a commitment to openness and transparency regarding this processing, subject to any limitations posed by security or confidentiality requirements.
The MPS is a public authority for the purposes of the FoIA 2000. This means that any information held by the MPS is accessible by the public on written request, subject to certain limited exemptions.
In line with guidance from the ICO, the MPS will place this DPIA and other associated documents on our FoIA Publication Scheme, so the public can be aware of how we process personal data. The only exception to this will be the following:
Legal Advice
Commercially Sensitive material
Personal Data Pertaining to the Consultation Participants
Information which would otherwise affect the operations of the MPS and is not in the public's interest to disclose.
All public requests for information should be directed to the MPS DPO.
1. Individual Rights
22
GDPR Recital 1(1) the protection of natural persons in relation to the processing of personal data is a fundamental right. (2) Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
2. Transfers Outside the European Union (EU)
GDPR Recital 101 (3) Personal data transferred from inside the EU to controllers, processors or other recipients outside international organisations (5) can only take place if, the conditions relating to the transfer of personal data are complied with by the controller or processor.
The MPS GVM or any data within it will not be transferred outside of the EEA.
4. Consultation Results
1. Public Consultation
1.1 The MPS has consulted with a number of Independent Advisory Groups (IAGs) over the last 12 months. IAGs give independent advice, to challenge MPS thinking and to bring the community voice into decision making at all levels. In simple terms, they help improve how the MPS police and equally important, they reassure communities around London. A frequently asked questions and briefing document has been circulated to these IAGs to give some detail and context around the Gang Violence Matrix. Presentations on the GVM have also been delivered to a number of IAG meetings including the Race IAG, Territorial Policing IAG Chairs, Trident IAG and local borough IAGs in Croydon and Ealing.
The privacy by design features outlined within this document will form part of the annual review of this DPIA to ensure adequacy of the protections they afford to the processing. The below table provides the method of public consultation employed by the MPS unit and the outcomes of the consultation.
Date Method of Consultation
Stakeholder Outcomes
1. 07/03/18 Briefing document and frequently asked questions (FAQ) sent to IAG chairs. (documents shown in Annex B)
IAG Chairs Briefing document sent out to enhance knowledge of the GVM and provide some basic information to help inform IAGs and communities about following external interest in the GVM.
2. 23/04/18 Presentation to TP IAG Chairs
IAG Chairs A number of questions were asked around aspects of the GVM including disproportionally, process for removal and consistency. These were answered
23
during the meeting and positive feedback was received.
3. 02/05/18 Presentation to Trident IAG
Trident IAG The Gang Violence Matrix was discussed at the Trident IAG in May following the release of the Amnesty Report on the Gang Violence Matrix.
18/06/18 Presentation to Race IAG
Race IAG A number of questions were asked including disproportionally, whether individuals are made aware of their inclusion, process for removal and inconsistencies. These were answered during the meeting.
12/07/18 Presentation to Ealing IAG
Ealing IAG The GVM was discussed at the Ealing IAG following a request from the group to have an update from the MPS on the GVM following various external interest in the GVM. It was a useful and engaged meeting with several questions from IAG members relating to entry on the GVM, the purpose and vulnerability side of gangs including county lines. The IAG were supportive of the use of the GVM and understood why the MPS used the GVM.
2017 - 2018
Meetings, emails, phone calls
MOPAC The MPS have been working with MOPAC around the Gang Violence Matrix since 2017 following a review of the GVM by MOPAC which was published in December 2018. Analysis by MOPAC has identified a number of key successes of the GVM and has also highlighted some areas of improvement.
24/01/19 Briefing to Living in Hackney Scrutiny Commission
Partners in attendance included local Hackney councilors, Community Safety Managers, Integrated Gangs Unit Manager and Amnesty International.
DCS Ivan Balhatchet and DSU Claire Crawley briefed the meeting around the GVM and the MPS response to both the ICO Enforcement Notice and the MOPAC Gang Violence Matrix Review. This was well received by the group and led to a number of questions. Amnesty International raised concerns that were outlined in their Trapped in the Matrix report which was released in Oct-18 but were pleased to see the MPS making steps to make sure the GVM was compliant with data protection.
06/02/19 Presentation to Trident IAG
Trident IAG DCI Phil Mills - Met Intel attended Trident IAG and briefed the group on the GVM.
24
This included details of Equality Impact Assessment being produced, concern hub pilot in Lewisham. A number of questions were asked including about training, review and removal process, police response to RAG, how gang affiliation is justified and more. They were supportive and happy the MPS is producing an EIA and would like the MPS to do roadshows where the MPS alongside the IAG meet local communities and jointly explain the GVM.
19/02/19 Presentation to Wandsworth IAG
Wandsworth IAG General briefing given on the Gang Violence Matrix with local BCU Gangs DI supporting from a local perspective in terms of partnership work locally. Briefing included details of new external website on the GVM and changes being implemented to meet the actions set by the ICO. Q&A followed the briefing with a number of questions about the GVM including age profiles, partnership working, diversion work and whether subjects are informed of their inclusion. IAG Chair was keen to know how the IAG can help the Police with the Gang Violence Matrix locally. New website will be forwarded to IAG members.
20/02/19 Website link for the Gang Violence Matrix sent to all BCU Commanders for this to be circulated to all IAGs across the MPS.
IAG Chairs The new website for the GVM has been sent out to enhance knowledge of the GVM and the website through IAGs so these can be further passed out to local communities.
21/05/19 Bi monthly Meeting Tayo Prince – SNB Chair Lewisham
No concerns raised
21/05/19 Bi monthly Meeting Eileen Glover – SNB Chair Greenwich
No concerns raised
22/05/19 Presentation given at meeting
Lewisham Safer Stronger Scrutiny Committee
No concerns raised and reassured with steps taken
10/06/19 Bi monthly Meeting Gordon Glean – IAG Chair Lewisham
No concerns raised
25
26/06/19 Central West BCU IAG Briefing (Covering Westminster, Hammersmith and Fulham and Kensington and Chelsea).
Independent Advisory Group (IAG) chairs across the BCU
The role of the Integrated Gangs and Exploitation was highlighted. The benefit of the Gangs Violence Matrix was explained so that the communities understand how this reduces offending and crime.
18/07/19 Weekly team briefing with partners who fall under the IGU
Westminster Council IGU
Context understood – no queries raised
18/07/19 Public Forum Somali public forum.
No negative feedback received
23/07/19 Personal Briefing Westminster Council Youth Crime Prevention Partnership
The IAG stated that the information provided neatly summarised the context, findings and actions. The only suggestion put forward was that in the circulating email a link was given to the Met’s glossary: https://www.met.police.uk/foi-ai/af/accessing-information/met/glossary/. Ideally the specific terms would be extracted and included in a supporting documents that was sent to partners.
03/06/19 Email/follow up meeting to be held on Wednesday 12/06/19.
Hackney - SNB Chair & deputy.
The SNB stated that they understand the information provided and offered no further comments or feedback.
03/06/19 Email Hackney - IAG Chair.
The IAG did not offer any comments or feedback re the information provided to them.
12/07/18 Meeting
MOPAC Reference Group Meeting. Attendees include MOPAC, MPS, Stop Watch, Black Training Enterprise
First meeting of the Reference set out the scope and work of the group as well as frequency of meetings. Members of the group provided their views on this. MOPAC updated on their work so far on their review of the GVM. More detail around demographic analysis of the GVM was requested.
26
Group, Amnesty International, The Monitoring Group.
11/04/19 Meeting
MOPAC Reference Group Meeting. Attendees include MOPAC, MPS, Stop Watch, Black Training Enterprise Group, Amnesty International, The Monitoring Group.
Reference Group members provided feedback from communities on the MOPAC review of the GVM. The MPS provided an update on the action plan to implement the recommendations from the ICO and MOPAC. Update included DPIA, Engagement, open source and the Concern hub. Questions were asked by the group and actions raised for the MPS to update on at the next meeting. Terms of Reference for the group and next steps were also discussed.
24/06/19 Meeting
MOPAC Reference Group Meeting. Attendees include MOPAC, MPS, Stop Watch, Black Training Enterprise Group, Amnesty International, The Monitoring Group.
MPS provided an update on the action plan to implement the recommendations from the ICO and MOPAC. Update included training, audit process and green nominals review. Questions were asked by the group and actions raised for the MPS to update on at the next meeting. Discussion of MPS engagement strategy. MOPAC updated on work around an independent review of the Equality Impact Assessment for the GVM with suggestions made by the reference group of improvements required.
12/07/18
Ealing IAG Meeting Ealing Borough Independent Advisory Group (IAG)
The Gang Matrix was discussed at the Ealing IAG following a request from the group to have an update from the MPS on the Gang Matrix following various external mention of the Matrix. It was a useful and engaged meeting with several questions from IAG members relating to entry on the matrix, the purpose and vulnerability side of gangs including county lines. The IAG were supportive of the use of the Matrix and understood why the MPS used the Matrix.
Jan 2019 Face to face delivery by DCI Kennett at IAG monthly meeting
Haringey IAG
Verbal briefing with PowerPoint of supporting info given on the MPS Gang Matrix by DCI Kennett including reason for Matrix, use and current changes being implemented and why as set by the ICO review. IAG to be further updated
27
once ISA complete and signed off with any changes that affect local community.
Feb 2019 Face to face delivery by DI Masterson at the monthly IAG meeting
Enfield IAG
Verbal briefing with PowerPoint of supporting info given on the MPS Gang Matrix by DI Masterson including reason for Matrix, use and current changes being implemented and why as set by the ICO review. IAG to be further updated once ISA complete and signed off with any changes that affect local community.
Apr 2019 Face to face by DS Lindsey Billany
Gang Action Group (YR)
Brief summary of changes and restrictions around ICO review and work going on to rectify the concerns raised and enable more confidence in the Matrix and its use. This is a monthly meeting and updates will be made once there is an update regarding ISA.
17/04/19 Face to face by DS Lindsey Billany
Gangs Partnership Group (YE)
Brief summary of changes and restrictions around ICO review and work going on to rectify the concerns raised and enable more confidence in the Matrix and its use. Update that previous slide showing most at risk Matrix nominals will no longer be supplied until ISA written and agreed with partners.
02/05/19 Face to face
London Borough Newham scrutiny panel, focusing on Gang violence.
Scrutiny panel showed considerable interest in the amendments and demonstrated reassurance at the changes and oversight
10/06/19 SNB meeting
Kingston SNB
Explained purpose of matrix, ICO notice and changes. No concerns raised.
20/06/19 S&SCMG meeting
Merton S&SCMG
General briefing given by Partnership Inspector followed by Q&A session. No concerns, happy with changes
24/06/19 Face to Face by DS Enfield YOU Brief summary of the changes and restrictions around ICO review and how info sharing can be completed in the interim to assist them in their risk assessments when dealing with young offenders associated with different and rival gangs.
04/07/19 Briefing sent via email, requesting staff are given time to read it.
Proactive Gangs Unit
Circulated - no queries raised.
28
04/07/19 Briefing sent via email, requesting staff are given time to read it.
Detective Inspector for YOT/IOM/Jigsaw
Circulated - no queries raised.
23/07/19 S&SCMG meeting
Wandsworth S&SCMG
General briefing given by Partnership Inspector followed by Q&A session. No concerns, happy with changes
01/08/19 MAVES meeting
Ealing Borough Independent Advisory Group (IAG)
Members of SA gang who are on the matrix were discussed due to the heightened tensions between these youths and currently identified youths in North London.
06/08/19 Kingston IAG
Kingston IAG
General briefing given by SNT Inspector followed by Q&A session. No concerns, happy with changes
08/11/19 Meeting
MOPAC Reference Group Meeting. Attendees include MOPAC, MPS, Stop Watch, Black Training Enterprise Group, Amnesty International, The Monitoring Group.
MPS provided an update on the action plan to implement the recommendations from the ICO and MOPAC. Update included governance, green nominals review, data storage and sharing and lessons learned from the GVM. Questions were asked by the group and actions raised for the MPS to update on at the next meeting. MOPAC updated on work around an independent review of the Equality Impact Assessment for the GVM and on the future role of the reference group.
14/02/2020 Meeting
MOPAC Reference Group Meeting. Attendees include MOPAC, MPS, Stop Watch, Black Training Enterprise Group, Amnesty International, The Monitoring Group.
MPS provided an update on the action plan to implement the recommendations from the ICO and MOPAC. MPS provided an update on actions and the Concern hub as well as showing the group a video relating to the GVM that the MPS want to release on social media. The Group provided feedback on video and around the MPS stance to not tell people they are on the GVM.
29
5. Balanced Risk Assessment
No Risk Likelihood L/M/H
Impact L/M/H
Solutions / Mitigations
Residual Risk
MPS SIRO Sign-Off
1. Incorrect data handling by those who we share GVM data with.
L
H
Policy document outlining how the data should be shared in place which outlines the expectation of those receiving data. Standardised ISA / DSA to be produced for all sharing of the GVM across the MPS both locally and centrally to ensure consistency. The GVM moved to BOX to increase security and auditing. Auditing of the GVM to be taken over by MO5 Covert and Governance.
Low
2.
MPS data is leaked or accessed by those outside of the organisation.
L H The data is held on MPS BOX to increase security and auditing to prevent breaches taking place. MO5 Covert Governance audit who accesses the GVM on a regular basis. Anyone downloading the GVM will automatically be audited. DSA with specific restrictions on sharing also migrates some of the risk around this.
Medium
3.
Data leaked by officers/staff who have access to the data
L H DPS targeting corrupt officers and staff. Training provided to relevant officers and staff.
Low
4.
Incorrect data handling by MPS officers/staff who have access to the data.
L H Training provided to relevant officers and staff at BCU level. All officers with access to the GVM need to have completed mandatory Data Protection training ‘Information and You’. Policy
Low
30
document outlining how the data should be shared.
5. The risk of individuals being inappropriately included on the GVM
M H The Standard Operating Procedure (SOP) for the GVM sets out the rules for how the GVM should be managed, this includes the GVM being updated and reviewed on a regular basis. Local GVMs should be reviewed at least every three months, MO5 Covert Governance inspect all BCUs around their management of the GVM. This will include asking the last time BCUs reviewed their GVM cohort and added / removed individuals. This is to make sure local GVMs are as current and accurate as possible. MO2 Met Intelligence also deliver training to BCU officers which includes making sure their GVMs are accurate.
Medium
OFFICIAL Template Version 2.0
Metropolitan Police Service (MPS) October 2018
Page 31 of 37
OFFICIAL
6. Implementation of DPIA Outcomes Responsibilities
Action to be taken Date for completion of actions
Responsibility for action
1. Production of Gangs Toolkit which will include a policy document specific to the Gang Violence Matrix.
December 2019 Specialist Crime
2.
Production of Equality Impact Assessment
May 2019 Met Intelligence
3.
Further stakeholder consultation May 2019 Community & Engagement
1. Conclusion Completing the DPIA has identified risks that have a medium or low likelihood of occurring. The GVM has previously been leaked and the MPS has put in a number of things in place to mitigate the likelihood of any further breaches. These include:
Moving the GVM to BOX which is more secure and has additional audit capability than where
the GVM was previously stored.
Starting access again and officers and staff wanting access are required to complete a user
access form which needs to be authorised by a Superintendent and complete Data Protection
training.
MO5 Covert Governance audit the GVM both on system use and the management of GVMs
locally in Basic Command Units (BCUs)
Identifying Superintendent SPOCs for all BCUs and deputies who are responsible for their
GVMs.
Training delivered centrally to all SPOCs, deputies and editors.
Stopping the sharing of the GVM until a Data Sharing Agreement is in place. The DSA is close
to being signed off.
The Matrix is a key intelligence tool for the MPS to assist in reducing gang related violence in London. This is evidenced by the MOPAC review of the Gang Matrix which shows the impact the matrix has had in reducing offending and victimisation of those on the matrix. Violence in London, including gang related violence will not be solved by Policing alone and therefore working with partners is a key strand. The sharing of information from the GVM with partners is essential in reducing violence, preventing loss of life and safeguarding against those most vulnerable and affected by gangs. Data Sharing Agreements (DSA) are required to be in place for this sharing of information at a local level. This DPIA is to be updated as and when any changes are implemented in the working of the GVM and further consultation on the GVM takes place with IAGS and local communities. Moving forward the GVM will be owned and governed in Met Intelligence at Commander level. All the above will be documented within a new Gangs Toolkit which will include a policy document for the GVM which was produced in May 2019.
8. Data Protection Impact Assessment Sign-off
Distribution list
Recipient Title Location
Change control
1. Project Sponsor
Sign Below:
Name: Mark Morgan Position: Met Intelligence
OCU Commander
Date: 28/02/2019
2. T/Head of Information Law and Security
Sign Below:
Data Protection
Impact Assessment 2018 - MPS Gang Violence Matrix ver 7 DPO signed.pdf
Nigel Shankster on behalf of Darren Curtis
Name: Nigel Shankster Date: 12/12/2019
Version Date Authority Evidence of approval Record of change
Appendix A – Glossary
Term Acronym
Description
Data Controller Has the same meaning as in section 1(1) of the DPA, that is, the person who determines the manner in which and purposes for which Personal Data is or is to be processed either alone, jointly or in common with other persons
Data Protection Act 2018 DPA Includes all codes of practice and subordinate legislation made under the DPA from time to time
Data Subject Has the same meaning as in section 1(1) of the DPA being an individual who is the subject of Personal Data
Freedom of Information Act 2000
FOIA Includes the Environmental Information Regulations 2004 and any other subordinate legislation made under FOIA from time to time as well as all codes of practice
Human Rights Act 2018 HRA Includes all subordinate legislation made under the HRA from time to time
Information Any information however held and includes Personal and Special Category Data, Non-personal Information and De-personalised Information. May be used interchangeably with ‘Data’
Information Commissioner’s Office
ICO The independent regulator appointed by the Crown who is responsible for enforcing the provisions of the DPA and FOIA
Metropolitan Police Service
MPS The police force for the London metropolis area (excluding the City of London)
Pseudonymous Information that has never referred to an individual and cannot be connected to an individual.
Notification The Data Controller’s entry in the register maintained by the Information Commissioner pursuant to section 19 of the DPA
Process Has the same meaning as in section 1(1) of the DPA and includes collecting, recording, storing, retrieving, amending or altering, disclosing, deleting, archiving and destroying Personal Data
Personal Data Personal data is information relating to a living identified or identifiable individual
Special Category Data Special category data is information relating to racial, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life / orientation, criminal convictions and offences, related security measures or appropriate safeguards.
ANNEX B Supporting Evidence of Consultation Briefing document for IAGs:
MPS Gang Violence Matrix Briefing for IAG and Communities
Frequently Asked Questions on the Gang Violence Matrix for IAGs:
Frequently asked questions about the Gangs Matrix Sep-17 for IAG
Agenda for TP IAG Chairs meeting 23/04/2019:
Agenda - IAG Chairs
for Monday 23 April 2018 Minutes of ‘Living in Hackney Scrutiny Commission Meeting’ 24/01/2019:
Living in Hackney
Scrutiny Commission - 240119
Agenda for Trident IAG meeting 06/02/2019:
Trident IAG Agenda
06.02.2019
Appendix C – Document Handling Instructions
To maintain the secure handling of this document, the below Handling Instructions MUST be read and complied with as part of your responsibilities in receiving this document. These instructions replace all other previous instructions which may have formed part of this document
Authority for Publication This document can only be made public on the explicit Authority of either or a combination of the following Authorities:
1. During the lifetime of this Project – the assigned Project Lead /
Senior Information Risk Owner (SIRO)/ or the MPS’ Data Protection
Officer [or their nominated Deputy].
Information Security [Access Controls] And
Personnel Security Clearance [Vetting]
[MPS Vetting Policy takes precedence]
1. As well as those roles identified within the Front Cover of this
document, this document can be made available to MPS staff involved
with the MPS Gangs Matrix:
1. For MPS personnel - MPS Recruit Vetting (RV) or Counter-
Terrorist Check (CTC) Additionally, access is also reliant on a direct need to know basis.
Physical Security [Storage/ offsite use of information]
[Remote Working – Working Away From the Office - WAFTO]
This relates mainly to where there is a requirement to have access to this document away from an approved location [e.g. Working Away From the Office/ Homeworking, etc.].
As such, where approval has been received [i.e. as part of your organisation’s WAFTO policy, etc.], the following rules are to be applied:
1. Electronic access to this document remotely can only be from
nominated locations and via appropriately accredited solutions, or
stored on appropriately accredited devices (e.g. approved laptops,
not your own device, etc.]. Always be mindful of your surroundings
and who else is within the vicinity their clearance/ ‘need to know’ 2. When handling paper versions of this document away from
the office, always be mindful of your surroundings. The document
Must Not be reviewed when within public areas where there is a
risk of ‘shoulder surfing, lost/ theft, etc. (i.e. whilst on/within public
transport, cafes, lobby areas, etc.).
3. Always ensure that all paper versions are stored within a
physically robust cabinet/ safe which also has a robust locking
mechanism with access restricted to only authorised individuals.
Electronic Security [Removable Media]
The document can be held/ processed Only on MPS corporately owned infrastructure/ issued devices [laptops, tablets]/ media [USBs, CDs, DVDs] or other ICT solutions, which have been approved by the MPS security personnel.
To maintain the secure handling of this document, the below Handling Instructions MUST be read and complied with as part of your responsibilities in receiving this document. These instructions replace all other previous instructions which may have formed part of this document
Movement [internal dispatch/ UK use of Post/ Courier Services]
The following despatched guidance/ instructions apply.
Where this document has a GSC marking of OFFICIAL
Through the use of the MPS’ Internal despatch service – sealed
envelopes/ containers with GSC marking and any other
descriptors shown.
By trusted hand - in that it must be somebody with a security
clearance appropriate for unsupervised access. The bearer of the
document should (in theory) be able to access and read the
document unsupervised.
For sending personal data outside the UK you must comply with
Data Protection Act 2018. Initially seek advice from the Information Rights Unit (IRU) via an email to DPA Mailbox - SAR.
Movement [Use of Post/ Courier Services outside UK]
This also includes the use of Fax machines
The document Must Not be sent outside of the UK without first initially consulting with the Author for approval or the roles identified within the above Authority to Publication section of these Handling Instructions
