Legal help for data breach compensation claims

What legal basis did the Met Police have for disclosing 30,000 addresses?

Start Your Claim Today!

Your privacy is extremely important to us. Read how we handle your data in our Privacy Policy

In early May, the Metropolitan Police were accused of a ‘severe’ security breach when they disclosed 30,000 addresses of shotgun and firearm owners to a direct mail marketing agency, “Yes Direct Mail”.

The British Association for Shooting and Conservation (BASC) has now demanded an answer from the Commissioner of the Metropolitan Police, Cressida Dick, to clarify what legal basis they had for passing on the addresses of so many firearm and shotgun owners. Namely: under the Data Protection Act (DPA) and any wider guidelines surrounding privacy and marketing.

Chain of events

The Metropolitan Police confirmed that they used a company, Corporate Document Services (CDS), based in Leeds to print the leaflets. The leaflets advised certificate holders of a product called ‘SmartWater’ (not to be confused with the bottled water brand), which allows owners to mark their guns with invisible ink that can be read under UV light in the event that it’s stolen. Though the leaflets may have been created with the intention of advising owners of how to keep their firearms and shotguns safe and protected, the marketing strategy seemingly disregarded the fact that owners didn’t give their express consent for their addresses to be shared.

BASC was informed that CDS sub-contracted the distribution of these leaflets to Yes Direct Mail. BASC wrote a letter to the Commissioner, Cressida Dick, outlining the concerns it had with the home security of shotgun and firearm owners given that their addresses were compromised by the leaflet distribution. The understandable concerns were in relation to criminals looking to acquire a gun.

Links with the police force

There are suspicions floating around that there was an ulterior motive involved. The person who founded the traceable ink company is reportedly a former police detective. It’s believed that the company has strong ties with a number of UK police forces, and their product is something that the police actively endorse. So it’s not surprising that the Metropolitan Police may have been swayed to provide addresses of thousands to assist with the promotion of the product…

Data protection statement

When an application is made for the ownership of shotgun and/or firearm, under the data protection statement, the applicant and the police only give the police permission to share their personal details with GPs, other government departments, regulatory bodies, or enforcement agencies. It certainly doesn’t appear to cover commercial companies. CDS and Yes Direct Mail probably fall under the definition of a commercial company, and therefore it seems that the Metropolitan Police didn’t have permission to disclose this information.

The Met Police’s responsibility

This is black and white for me. Data controllers can only pass on the personal data of an individual with prior consent. The exception to this rule is if there’s a legitimate concern for public health and safety.

Under the DPA, Section 11 provides that an individual has the right to prevent processing for purposes of direct marketing. This means that, had the shotgun and firearm owners known that their addresses were being disclosed onto an external contractor, they could’ve given written notice to the data controller (Metropolitan Police) to stop this from happening. However, on this occasion, the owners weren’t made aware that their addresses were being used for direct marketing, and therefore couldn’t give their consent.

ICO

The Information Commissioner’s Office (ICO) reiterates this by stating that prior consent must be obtained for direct marketing purposes. Individuals should be allowed to opt-in or out of these methods of communication. The ICO’s guidance also states that companies should check the individual’s preference before they directly contact them for marketing purposes.

BASC’s final words

For the time being, BASC’s Director of Firearms, Bill Harriman, maintains the position that there was no legal basis for their addresses to be disclosed;

“…we can see no legal authority which allows the Met to breach the DPA by passing on sensitive, confidential information to as many as three external companies.”

Bill Harriman highlights the threat of personal information being passed on:

“…such information is currency for criminals.”

Especially when involving firearms. That’s why data security is crucial and companies who fail to adhere to the DPA and other privacy obligations will be punished.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a call back from our team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.

First published by Editor on May 30, 2017
Posted in the following categories: Latest and tagged with


GP surgeries were on the brink of meltdown following the NHS cyber-attacks
Are companies prepared enough to respond to a data hacks and breaches?
%d bloggers like this: