What legal basis did the Met Police have for disclosing 30,000 addresses?
police breach

What legal basis did the Met Police have for disclosing 30,000 addresses?

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

In early May, the Metropolitan Police were accused of a ‘severe’ security breach when they disclosed 30,000 addresses of shotgun and firearm owners to a direct mail marketing agency, “Yes Direct Mail”.

The British Association for Shooting and Conservation (BASC) has now demanded an answer from the Commissioner of the Metropolitan Police, Cressida Dick, to clarify what legal basis they had for passing on the addresses of so many firearm and shotgun owners. Namely: under the Data Protection Act (DPA) and any wider guidelines surrounding privacy and marketing.

Chain of events

The Metropolitan Police confirmed that they used a company, Corporate Document Services (CDS), based in Leeds to print the leaflets. The leaflets advised certificate holders of a product called ‘SmartWater’ (not to be confused with the bottled water brand), which allows owners to mark their guns with invisible ink that can be read under UV light in the event that it’s stolen. Though the leaflets may have been created with the intention of advising owners of how to keep their firearms and shotguns safe and protected, the marketing strategy seemingly disregarded the fact that owners didn’t give their express consent for their addresses to be shared.

BASC was informed that CDS sub-contracted the distribution of these leaflets to Yes Direct Mail. BASC wrote a letter to the Commissioner, Cressida Dick, outlining the concerns it had with the home security of shotgun and firearm owners given that their addresses were compromised by the leaflet distribution. The understandable concerns were in relation to criminals looking to acquire a gun.

Links with the police force

There are suspicions floating around that there was an ulterior motive involved. The person who founded the traceable ink company is reportedly a former police detective. It’s believed that the company has strong ties with a number of UK police forces, and their product is something that the police actively endorse. So it’s not surprising that the Metropolitan Police may have been swayed to provide addresses of thousands to assist with the promotion of the product…

Data protection statement

When an application is made for the ownership of shotgun and/or firearm, under the data protection statement, the applicant and the police only give the police permission to share their personal details with GPs, other government departments, regulatory bodies, or enforcement agencies. It certainly doesn’t appear to cover commercial companies. CDS and Yes Direct Mail probably fall under the definition of a commercial company, and therefore it seems that the Metropolitan Police didn’t have permission to disclose this information.

The Met Police’s responsibility

This is black and white for me. Data controllers can only pass on the personal data of an individual with prior consent. The exception to this rule is if there’s a legitimate concern for public health and safety.

Under the DPA, Section 11 provides that an individual has the right to prevent processing for purposes of direct marketing. This means that, had the shotgun and firearm owners known that their addresses were being disclosed onto an external contractor, they could’ve given written notice to the data controller (Metropolitan Police) to stop this from happening. However, on this occasion, the owners weren’t made aware that their addresses were being used for direct marketing, and therefore couldn’t give their consent.


The Information Commissioner’s Office (ICO) reiterates this by stating that prior consent must be obtained for direct marketing purposes. Individuals should be allowed to opt-in or out of these methods of communication. The ICO’s guidance also states that companies should check the individual’s preference before they directly contact them for marketing purposes.

BASC’s final words

For the time being, BASC’s Director of Firearms, Bill Harriman, maintains the position that there was no legal basis for their addresses to be disclosed;

“…we can see no legal authority which allows the Met to breach the DPA by passing on sensitive, confidential information to as many as three external companies.”

Bill Harriman highlights the threat of personal information being passed on:

“…such information is currency for criminals.”

Especially when involving firearms. That’s why data security is crucial and companies who fail to adhere to the DPA and other privacy obligations will be punished.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon