PSNI fined £750,000 for data breach

The Information Commissioner’s Office (ICO) has fined the Police Service Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.

Oct 3, 2024
By Paul Jacques

The regulator’s investigation found that simple-to-implement procedures could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a Freedom of Information (FoI) request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.

The Information Commissioner John Edwards said that mindful of the current financial position at the PSNI and not wishing to divert public money from where it is needed, he used his discretion to apply the public sector approach in this case.

Had this not been applied, the fine would have been £5.6 million.

The PSNI said the fine will further compound the pressures it is facing while the Police Federation for Northern Ireland (PFNI) said it will have a “negative impact” on the “cash-strapped” organisation.

On August 3, 2023, the PSNI received two FoIs from the same person via WhatDoTheyKnow (WDTK). The first asked for “…the number of officers at each rank and number of staff at each grade…”, the second asking for a distinction between “how many are substantive/temporary/acting…”.

The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system (SAP). The data included: surnames and first name initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.

As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file.

The original worksheet, containing the personal details, remained unnoticed and this was also not picked up despite quality assurance. The file was subsequently uploaded to the WDTK website at 2.31pm on August 8.

The PSNI was alerted to the breach by its own officers at approximately 4.10pm the same day. The file was hidden from view by WDTK at 4.51pm and deleted from the website at 5.27pm.

Six days later, the PSNI announced it was working on the assumption that the file was in the hands of dissident republicans and that it would be used to create fear and uncertainty and for intimidation.

Mr Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.

“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff. A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.

“Whilst I am aware of the financial pressures facing PSNI, my role as Commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines. I am satisfied, with the application of the public sector approach, this has been achieved in this case.

“Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.”

The ICO said its investigation was assisted by complaints from people who provided “candid insights into the anxiety and distress” the breach had caused, including:

“…Everything has culminated and become too much for me to the point that I have accepted another job outside of the police. I am essentially taking a pay cut not to mention leaving the job that I dreamed of since I was a small child and geared my whole life towards. To say I am devastated is an understatement but I feel I have no choice.”

“I have gone to great trouble to ensure that I have remained invisible, with no social media presence, removal from the electoral roll, 192.com, never revealing my job to others and lying about where I work whenever asked… I have trouble sleeping, my children… are all stressed about my welfare, some of them have told me that they have nightmares about me getting attacked.”

“How has this impacted on me? I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok. I have spent over £1,000 installing modern CCTV and lighting around my home, because of the exposure.”

“I believe the risk to my personal security and the safety of my wife and… young children is more significant for me due to the fact that I grew up in the area where we are most active. As a result of this many persons involved and linked to paramilitary groups and wider criminal circles in this area would know me or remember me from both school and childhood. I have gone to great lengths to keep my occupation confidential. Only close family and friends previously had knowledge of it. I have a minimal social media footprint. I have also spent a considerable amount of effort to make our home private and secure to reduce potential for attacks. This has now been severely compromised and will require further expense to upgrade.”

PSNI Chief Constable Jon Boutcher said: “Today’s confirmation that the ICO has imposed a £750,000 fine on the PSNI is regrettable, especially given the financial constraints we are currently facing.

“This fine will further compound the pressures the service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.

“Following the ICO’s announcement in May that they intended to impose a fine and issue an enforcement notice we made representations regarding the level of the fine and the requirements in their enforcement notice. While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an enforcement notice.

“That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.

“The personal testimonies above serve as a stark reminder of the impact the data loss had on our officers and staff and I know this will once again be to the forefront of their minds. As a service we are in a different place today than we were last August and we have continued to work tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We have provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.”

He added: “We continue to progress the recommendations made by the ICO and also the recommendations made by the Independent Review Team who published their findings in December 2023, including the establishment of the deputy chief constable as the senior information risk owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group, ensuring that information security and data protection matters are afforded the support and attention they critically deserve.

“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”

PFNI chair Liam Kelly said: “The breach involved the release of surnames, initials, rank and role of officers. It caused widespread understandable distress and concern and forced a major re-think of personal security.

“A fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation. Even though provision was made for most of this last year, there is still a hefty sum of money to come out of the current budget.

“We’re disappointed that our submissions on the level of the fine were not fruitful.

“We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local councils.

“We’re grateful the ICO applied discretion on the level of fine to be imposed which would have been £5.6 million. Had that happened, I have no doubt that immense harm would have been caused to the service and the range of services the public have a right to expect.”

Northern Ireland Policing Board chair Mukesh Sharma said: “The PSNI data breach was a critical incident that had serious reverberations within and outside of the PSNI. As a Board we remain very mindful of the immense impact that this Data Breach had within the PSNI and all the officers, staff and their families who were directly affected.

“The Board welcomed the positive commentary from the Commissioner on remedial actions progressed by PSNI, but concern was recorded on the size of the fine imposed given wider financial pressures within policing and public sector finances in NI.

“The remedial actions of the PSNI in response to the breach, and the financial implications and liabilities arising from it, have been the subject of discussion at the Policing Board over the course of the last 13 months and will remain under scrutiny by the Board in monitoring implementation of actions from the jointly commissioned review by the Board and the PSNI, which was published in December 2023.”

In September 2023, following a number of high-profile personal data breaches, the Commissioner issued an advisory notice with recommendations public authorities should adopt to ensure personal information is not disclosed in freedom of information responses.

The ICO has also:

  • Published a checklist for public authorities to use for the safe and appropriate disclosure of information;
  • Publicised our guidance on how to disclose information safely; and
  • Engaged with online platforms which facilitate FoI and transparency.

Related News

Select Vacancies

Deputy Chief Constable

Essex Police

Inspectors on Promotion to Chief Inspector

Greater Manchester Police

Police Sergeant Transferee

Merseyside Police

Copyright © 2024 Police Professional