Exclusive: Met Police website taken offline after AccessDocs exposes privacy breach

Offline: The Met website's disclosure log, after 105 files found with private data

Updated: 19/10/11

The Metropolitan Police has been forced to remove part of its website, after a mass privacy breach was exposed by this blog.

More than 100 documents had accidentally been published online containing confidential information in the files’ meta-data. This included names, email addresses and employment history of members of the public.

An “urgent investigation” has now been launched by police into the breach, and the entire section of the website has been taken down. The Information Commissioner has also launched its own investigation after receiving a number of complaints.

The documents had been online for months – free for anyone to read and find through Google. They were legitimately listed on a Freedom of Information disclosure log – but data within the files gave away people’s personal details.

The Met told AccessDocs: “The MPS has temporarily disabled the website whilst we carry out an urgent investigation. As an interim measure, we have removed all the PDFs that contain disclosure information from the server to ensure no further loss of personal information… We apologise for any inconvenience this may cause and aim to have the site restored as soon as possible.”

“NB – first indications show that email addresses may have been published.”

Police originally claimed to have “disabled” the website on Tuesday, but it later transpired that all the documents were still online. Instead of removing it, the home page of the information was simply moved. This meant that although old links to the data didn’t work, it could still be found through Google, or by editing the URL. This further error was reported on Tuesday evening, but it took around 12 hours to finally be taken offline.

Police also confirmed that one individual who had her personal details published has already registered a complaint. An email from the Met to the woman said: “It has been brought to our attention that your personal details have appeared on the Metropolitan Police Service website”.

Other people who had personal details published by the Met include an ex-policeman, a professor, a solicitor, an American student and a Daily Mirror journalist.

At least two people have now sent complaints to the Information Commissioner’s Office (ICO). A spokesman for the commissioner said: “We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.” The ICO has the power to prosecute and impose penalties of up to £500,000 on organisations for private data breaches.

The Disclosure Log, which has been taken down as a result of the privacy breach, provides copies of the responses to Freedom of Information (FOI) requests that are sent to the Met.  Disclosure logs are a valuable and positive part of transparency – FOI campaigners will therefore be pleased that the Met have confirmed that this move is only a temporary one. A press officer for the police said that they would go through each of the hundreds of documents individually, if necessary – but that they would get the disclosure log back online as soon as possible. 

In future, Data Protection and Freedom of Information should not be an either/or. 

NB:  For all queries about this story, please contact me on mrw504@gmail.com , or see the ‘about’ page, or see my website.  

Exclusive: 100 private documents accidentally published on police website

File info showing name and email address of a member of public who had requested information from the police. (Here, the private details are blanked out, but they are still online on the Met's website).

Privacy breaches by the Metropolitan Police have left more than 100 documents online which contain confidential information.

Names, email addresses and employment details are among the private data which can still be viewed on the Met’s website.

Police publish all their responses to questions in an online disclosure log. But staff are routinely failing to remove personal information from the titles of files – leaving people’s details, and their questions, free to be found through Google and read by anyone.

The breaches include the details of an ex-policeman, a professor, a solicitor, an American student and a Daily Mirror journalist. In total, around 105 files contain privacy breaches, with a sharp increase in breaches since August.

Some of the documents also include whole paragraphs of personal information about the members of public making Freedom of Information (FOI) Requests. Police uploading responses to the internet have simply copied and pasted sections of correspondence which give personal information.

A rise in the number of privacy breaches follows record levels of FOI requests to the Met, suggesting that privacy is being overlooked. New figures show that requests rocketed this summer after the police force came under criticism over the hacking scandal and the August riots.

NB: Some people submitting FOI requests choose to make their information public by using whatdotheyknow.com, but a large number of requests are done confidentially for personal, journalistic or employment reasons. For instance, someone trying to gather information about an employer may not want to be ‘found out’ by future employers. 

See also:  ‘How police lost your personal data’ (from August 2011)

UPDATE: The Metropolitan Police have removed their entire online disclosure log as a result of this blog post. Several of the people who had personal details published have expressed their anger at the police. More updates to come. All enquiries to Martin Williams  – mrw504@gmail.com