The Metropolitan Police Service is currently facing heavy criticism for handing the addresses of 30,000 London gun owners to a direct mail marketing agency. The firm, Yes Direct Media, used the information as a mailing list for a leaflet advertising a “firearms protection pack” sold by SmartWater, the self-proclaimed “crime fighting company”.
The leaflet, titled “Protect your firearms and shotguns with SmartWater” and featuring Met Police logos, was delivered to the unsuspecting gun owners on 11 April. It advised firearm and shotgun certificate holders to buy its protection pack, which includes SmartWater’s “traceable liquid” – an invisible ink-like product that’s only visible under UV light – as well as a “thieves beware” deterrent sign.
Security in obscurity
Gun owners are routinely advised by the police not to publicise the fact that they own guns, particularly if they keep them in their homes. This is because: (a) guns are a highly attractive target for thieves and burglars, and (b) a stolen gun is probably going to lead to worse crimes.
To reiterate this, the Met strictly prohibits licence holders’ information from being used for marketing or advertising purposes – a rule they appear to have now broken.
However, the Met told The Register that the advertising campaign was an in-house initiative and that data was not supplied to SmartWater. It said that the third-party vendor will only gather information on gun owners who contact them to buy their products as a result of the advertising campaign.
Even so, singling out gun owners doesn’t seem like the most secure, or effective, way of spreading this warning. Firearm and shotgun ownership is already highly regulated – with almost all guns being stamped with serial numbers that are recorded against the owner’s name and address on a police-controlled database. It’s hard to see the security benefit SmartWater provides that isn’t already present in serial numbers, which are practically impossible to fully remove.
The Met later claimed that the primary aim of its campaign was not to spread SmartWater’s liquid but to discourage burglars by hanging the company’s deterrent signs. (That, of course, makes you wonder why there was no reference to those signs in the leaflet.)
Following The Register’s report, the British Association for Shooting and Conservation (BASC) wrote to the force demanding an investigation.
“We can see no legal authority which allows the Met to breach the Data Protection Act by passing on sensitive, confidential information to as many as three external companies,” said Bill Harriman, BASC’s director of firearms.
The BASC confirmed that the Met are now investigating the matter and that it won’t be providing commentary until the investigation is complete.
Train your staff to be cyber aware
It will soon be even more important to avoid data security issues such as this, given that the EU’s General Data Protection Regulation (GDPR), which has much stricter rules and much harsher penalties, will be enforced from next year.
Any organisation that fails to comply with the GDPR will face a fine of up to 4% of its annual global turnover or €20 million (approximately £17 million), whichever is greater.
If your organisation is currently preparing for the GDPR, or you are looking to understand and demonstrate your knowledge of it, you should take a look at IT Governance’s GDPR training courses. With a range of programmes in both classroom and distance learning formats, we are your one-stop shop for high-quality and cost-effective training solutions.