Exclusive: Met Police website taken offline after AccessDocs exposes privacy breach
October 18, 2011 1 Comment
Updated: 19/10/11
The Metropolitan Police has been forced to remove part of its website, after a mass privacy breach was exposed by this blog.
More than 100 documents had accidentally been published online containing confidential information in the files’ meta-data. This included names, email addresses and employment history of members of the public.
An “urgent investigation” has now been launched by police into the breach, and the entire section of the website has been taken down. The Information Commissioner has also launched its own investigation after receiving a number of complaints.
The documents had been online for months – free for anyone to read and find through Google. They were legitimately listed on a Freedom of Information disclosure log – but data within the files gave away people’s personal details.
The Met told AccessDocs: “The MPS has temporarily disabled the website whilst we carry out an urgent investigation. As an interim measure, we have removed all the PDFs that contain disclosure information from the server to ensure no further loss of personal information… We apologise for any inconvenience this may cause and aim to have the site restored as soon as possible.”
“NB – first indications show that email addresses may have been published.”
Police originally claimed to have “disabled” the website on Tuesday, but it later transpired that all the documents were still online. Instead of removing it, the home page of the information was simply moved. This meant that although old links to the data didn’t work, it could still be found through Google, or by editing the URL. This further error was reported on Tuesday evening, but it took around 12 hours to finally be taken offline.
Police also confirmed that one individual who had her personal details published has already registered a complaint. An email from the Met to the woman said: “It has been brought to our attention that your personal details have appeared on the Metropolitan Police Service website”.
Other people who had personal details published by the Met include an ex-policeman, a professor, a solicitor, an American student and a Daily Mirror journalist.
At least two people have now sent complaints to the Information Commissioner’s Office (ICO). A spokesman for the commissioner said: “We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.” The ICO has the power to prosecute and impose penalties of up to £500,000 on organisations for private data breaches.
The Disclosure Log, which has been taken down as a result of the privacy breach, provides copies of the responses to Freedom of Information (FOI) requests that are sent to the Met. Disclosure logs are a valuable and positive part of transparency – FOI campaigners will therefore be pleased that the Met have confirmed that this move is only a temporary one. A press officer for the police said that they would go through each of the hundreds of documents individually, if necessary – but that they would get the disclosure log back online as soon as possible.
In future, Data Protection and Freedom of Information should not be an either/or.
NB: For all queries about this story, please contact me on mrw504@gmail.com , or see the ‘about’ page, or see my website.