ICO issues reprimand to the PSNI for unlawfully sharing data with US
The Information Commissioner’s Office (ICO) has issued a reprimand to the Police Service of Northern Ireland (PSNI) for unlawfully sharing personal data on 174 people with the US Department of Homeland Security (DHS).
The data was shared by the PSNI’s extradition unit and included details of criminal convictions and biometric data.
The ICO said the PSNI “failed to have appropriate measures in place” to prevent the extradition unit unlawfully sharing this data with the DHS.
It said this had been taking place since 2016 and continued following the introduction of the Data Protection Act 2018 until October 2020.
“Members of staff within the extradition unit had legitimate but insufficiently regulated access to various PSNI systems and were able to extract personal data which was then unlawfully shared with DHS,” said the ICO.
Its investigation found a culture had evolved where data sharing was done outside of established processes under its data protection framework and “there was a lack of effective managerial oversight”.
Had this been in place, further unlawful sharing of personal data could have been prevented, said the ICO.
It found personal data, including criminal convictions, was “routinely sent to the US via email, without encryption or password protection”.
“While there is no evidence to suggest the personal data was inappropriately accessed, the investigation found that personal data was processed without the appropriate security being applied,” the ICO said.
The sharing was intended to alert the DHS of an individual’s intended travel to the US but no formal process was being followed.
“The PSNI were unable to demonstrate it had a documented reason for proactive sharing, for example following the receipt of a formal request which identified a specified reason, in line with the data protection legislation, for sharing the personal data with the DHS,” said the ICO.
“Data subjects would not reasonably expect their personal data to be used in this way, which resulted in data subjects and their family members being refused entry to the US.
“Due to the nature of the personal data that was being processed, the PSNI should have ensured a higher level of protection and safeguards were in place.”
The ICO said “remedial steps” have already been taken by the PSNI.
“In particular, in the course of our investigation we have noted that the professional standards of the extradition unit and the Police Ombudsman of Northern Ireland have conducted a review of the incident and recommendations have been made,” it said.”The PSNI has since introduced stricter controls to improve its compliance. These include ensuring any future data sharing is conducted within a formal arrangement, reviewing existing guidance and polices, and creating a standard operating procedure which includes data transfer.
“The Commissioner considers these steps to be appropriate and that they should prevent an incident of this nature happening again.”
The ICO made a number of recommendations to ensure compliance with Data Protection Act 2018, but the PSNI said “significant steps” have already been taken to address each of these and to improve its compliance.
A spokesperson for the PSNI said said: “At the time, we apologised and I want to repeat that apology.
“The ICO made a number of recommendations.
“I want to reassure the public that significant steps have already been taken and that each of these recommendations has already been implemented to prevent any reoccurrence of this breach.
“These steps have been acknowledged and welcomed by the ICO.”