The Information Commissioner’s Office (ICO) has announced the intention to fine the Police Service of Northern Ireland (PSNI) £750,000 ($953,308) for failing to keep personal information of its entire workforce safe due to the “monumental” data breach last year where information on all its staff was leaked.
In a response to a freedom of information (FOI) request, information about all of the 9,483 serving PSNI officers and staff was included in a “hidden” tab of a spreadsheet that was published online. The leaked information included surname, initials, rank, and role.
“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be,” said John Edwards, UK Information Commissioner.
The FoI request had asked the PSNI to do a breakdown of all its staff rank and grades. However, when the PSNI shared the information, the force also included a spreadsheet with the additional data, which also included 40 PSNI officers based at MI5 headquarters.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life,” Edwards continued.
Inadequate procedures to keep data safe
In an initial investigation, ICO found that the PSNI’s internal procedures and sign-off protocols for keeping data safe were inadequate.
By publishing the action on PSNI, Edwards hopes to highlight the need for organizations to make sure that they have systems and procedures in place to protect personal information.
“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place,” Edwards continued.
“We heard many harrowing stories about the impact … from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.”
John Edwards, UK Information Commissioner
The ICO says that it wishes to put public money to its best use and not divert it from where it is most needed, and has therefore applied the public sector approach when deciding the PSNI provisional fine amount. If it had not been applied, the provisional fine would have been set at £5.6m ($7.1m). PSNI has also been issued with a preliminary enforcement notice, which will require it to improve the security of personal information when dealing with FOI requests.
However, the final penalty and requirements in the enforcement notice are yet to be decided on.
Another data breach
In addition to the leaked data, a day after the breach, it also emerged that the police were investigating another data breach after a spreadsheet naming more than 200 serving officers and staff, a laptop and radio were stolen from a senior officer’s car in the town of Newtownabbey in July 2023.
“This confirmation by the Service makes matters worse. Clearly, urgent answers are required. How did this happen? What steps were put in place to advise and safeguard so many colleagues?” said Liam Kelly, Chair of the Police Federation for Northern Ireland.
“The major security breach was bad enough, but this heaps further additional pressure on the PSNI to produce credible explanations around data security protocols and the impact on officer safety.”