By Charlotte Webster-
The Information Commissioner’s Office (ICO) has announced its intention to fine the Police Service of Northern Ireland (PSNI) £750,000 for a severe data breach that compromised the personal information of its entire workforce.
This comes after an incident where sensitive details of 9,483 serving PSNI officers and staff were inadvertently published online.
The breach, which occurred due to a hidden tab in a spreadsheet released in response to a Freedom of Information (FoI) request, included surnames, initials, ranks, and roles of the PSNI personnel.
Information Commissioner John Edwards described the incident as creating a “perfect storm of risk and harm,” causing substantial fear and distress among those affected.
“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm,” said Edwards.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members, and completely altering their daily routines because of the tangible fear of threat to life.”
The ICO’s investigation found that the PSNI’s internal procedures and sign-off protocols for safe disclosure of information were grossly inadequate. The Information Commissioner emphasized that simple and practical policies could have prevented this potentially life-threatening incident.
Preventing Future Incidents
Edwards publicized the potential fine to underscore the necessity for organizations to rigorously check and improve their disclosure procedures.
In September 2023, following the PSNI incident and other high-profile data breaches, the ICO issued an advisory notice with recommendations for public authorities to better safeguard personal information.
The ICO’s public sector approach to fines aims to ensure that public money is not diverted from essential services, while still holding organizations accountable for serious breaches. Without this approach, the fine could have been as high as £5.6 million.
In addition to the fine, the PSNI has received a preliminary enforcement notice to improve the security of personal information in response to FoI requests. The ICO will consider any representations from the PSNI before making a final decision on the fine and enforcement requirements.
PSNI’s Response
Deputy Chief Constable Chris Todd acknowledged the ICO’s findings, expressing regret over the data loss incident. “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice,” Todd said. He also noted the financial challenges the PSNI faces and the steps being taken to implement the recommended changes.
Since the breach in August 2023, the PSNI has undertaken significant efforts to mitigate the impact, including providing crime prevention advice and financial support to affected staff.
An independent review commissioned by the Northern Ireland Policing Board and the PSNI resulted in 37 recommendations, of which 14 have already been implemented.
The breach had profound implications for PSNI officers and staff, leading to substantial personal and professional disruptions. The Police Federation for Northern Ireland (PFNI) welcomed the ICO’s provisional findings, highlighting the grave nature of the breach and the necessity for robust data protection measures.
PFNI chair Liam Kelly remarked on the severity of the situation and the relative leniency of the fine considering the potential penalty. “The ICO has confirmed there were dangerous failings to protect personal information and a shocking absence of protocols for the safe disclosure of information,” Kelly said.
The ICO’s findings underscore the critical need for stringent data protection protocols to prevent such breaches in the future. The PSNI’s commitment to implementing the recommendations aims to restore trust and ensure the highest standards of data security are maintained.