The accidental publication of a spreadsheet containing more than 345,000 pieces of data on the website “WhatDoTheyKnow” stemmed from a Freedom of Information (FoI) request which had asked for a breakdown of Police Service of Northern Ireland (PSNI) staff and their ranks (the exact question was “Could you provide the number of officers at each rank and number of staff at each grade?”). However, in addition to the requested information, the spreadsheet also included staff surnames, initials and other data including their base, unit and responsibility.
The information was available online for over two hours before being taken down by PSNI but it is not yet clear to what extent the spreadsheet was accessed and shared, and by whom.
It has now been revealed that PSNI is also investigating a second data breach relating to the theft of a spreadsheet containing the names of more than 200 serving officers and staff, as well as a police laptop and radio, from a private vehicle in Belfast.
What is the potential harm?
The disastrous effects that data breaches can have on organizations have been well noted. However, on face value one may question the severity of this case – after all, the disclosed data contained names and job titles – information which can often be easily found in the public domain. However, the political context is important here to be able to understand the scale of the incident and the potentially serious consequences for the individuals involved.
PSNI has long been the target of threats and physical attacks (most recently in February 2023) by dissident groups in the region. The terrorist threat level in Northern Ireland was raised to “severe” in March this year due to the fatal shooting of an off-duty PSNI officer. The public identification of individuals serving on the force has therefore caused them to fear for their personal security, especially as many had been keeping their association with PSNI a secret (including from friends and family).
Human error and data breaches
The cause of the data leak in this case was down to a “simple” human error with a “monumental” impact. This is unfortunately not uncommon. According to a research report by Stanford University and Tessian, 88% of all data breaches are caused by human error, including falling susceptible to phishing, sending emails to the wrong recipient and reusing weak passwords.
Although manual processes are inevitably subject to an element of human error, it is important to ensure that appropriate (and often simple) controls are implemented to mitigate these risks. For example, documents can be marked highly sensitive, made password-protected and certain information can be encrypted.
Data protection regulation
In the case of data breaches, especially sensitive situations like the case of PSNI, the focus is often on how to remedy the breach, and less on how to prevent breaches from occurring in the first place and ensuring compliance with legal obligations in relation to personal data. This is particularly the case in time-pressured situations, such as FoI requests (which have a deadline of 20 days), which can increase the risk of human error. This makes it imperative for organizations to fully understand their obligations under data protection regulation from the outset.
As a reminder of relevant data protection principles and rules:
- Data minimization and purpose limitation: Personal data must be collected and processed only as necessary for the intended purpose and for specified, explicit and legitimate purposes. In the PSNI case, the spreadsheet containing the additional information not required by the FoI request goes beyond these principles and increases the risk of harm to individuals.
- Technical measures and safeguards: Organisations are required to implement appropriate technical and organizational measures to ensure an adequate level of security for personal data and to protect it from unauthorized access, disclosure, alteration or destruction. The fact that the PSNI information (which was of a sensitive nature given the context) was able to be so easily disclosed by one individual (and the data was not password protected or encrypted) highlights the lack of safeguards in place to prevent such an incident and to minimise any impact on individuals.
- Accountability, reporting and notification requirements: Organisations are required to notify the relevant supervisory authority (here, the Information Commissioner’s Office (ICO)) of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individual’s rights and freedoms. Here, the information was taken down quickly by PSNI and reported to the ICO within the relevant window.
Security by design
The PSNI case is a reminder of how even what appears to be a minor human error can have significant and far-reaching consequences. It highlights the need for organisations to implement and maintain robust data handling practices and security measures and that any individuals handling personal data are sufficiently trained and vigilant in the face of incidents.
Until a security-by-design mindset is adopted and integrated into an organization’s daily operations and wider business plan, the number of incidents will continue to rise (Norfolk and Suffolk Police released personal data of over 1,000 victims of crime as part of a FoI request due to a “technical error”).
Although not all cases will have the same external factors as with PSNI, it can be useful to conduct a risk assessment of foreseeable consequences and wider implications of a potential breach to help shape an organization’s approach to data governance.
Legal obligations
As is the case in the context of cyber-attacks, it is important for organizations to ensure that they consider their legal obligations from the outset and to consult lawyers early on to assist with tailored drafting and reviewing policies and procedures as well as in the aftermath of a data breach (see our article on Responding to a cyberattack: why you should call your lawyer).
The ICO has said in its statement that it is currently investigating the incident as a matter of urgency but that it can’t determine the extent to which the personal data disclosed was accessed before it was taken down. However, it is working with PSNI to assess the level of risk and to mitigate any harmful consequences.
PSNI has apologised for the error and emphasized its commitment to investigating the circumstances surrounding the breach, as well as working with the ICO to mitigate any security risks to officers and their families. You can read the official statement from the Police Service of Northern Ireland on its website.
David Varney is a partner in the technology team and advises on a range of data protection, technology, intellectual property and commercial matters for clients in a number of sectors, including technology, financial services, media, retail and energy, Burges Salmon.