Independent review of PSNI data breaches launched

It will be led by City of London Police Assistant Commissioner Pete O’Doherty, the National Police Chiefs’ Council lead officer for information assurance, supported by a specialist team.

The Northern Ireland Policing Board (NIPB) said the review’s initial report will be published within a month, with a full report by the end of November.

The NIPB stressed Chief Constable Simon Byrne “retains the confidence of the board to lead the service”.

The review was announced at a special meeting of the board on Tuesday (August 22) to “restore confidence” in the PSNI among officers and staff and the general public.

It follows an “unprecedented and industrial-scale” breach on August 8 which resulted in the personal details of 9,483 officers and staff mistakenly being published online in response to a Freedom of Information request.

Details released to the public included the surnames and initials of all current officers and staff, together with the location and department in which they work.

Two other breaches were subsequently made public, including the loss of a police officer’s laptop and notebook containing details of 42 police officers and members of staff after the items fell from a moving vehicle on the M2 last week.

Separately, on July 6, in an unrelated incident, a police-issue laptop and radio, as well as a document containing the names of more than 200 staff, were stolen from a private vehicle in Newtownabbey, County Antrim.

The NIPB said the independently led end-to-end process review of the circumstances surrounding the data breach incident of August 8, and others, “has been commissioned in order to provide confidence to PSNI officers and staff and assurance to the wider public that the underlying causes of the breach have been identified and addressed”.

The review is designed to:

• Understand (a) the processes and actions that led to the breach occurring and, (b) any organisational, management or governance factors that allowed that breach to occur;
• Identify any action required to prevent further data breaches, to build more robust future risk mitigation systems and to make any necessary improvements to information governance systems, policy, organisational practices, cultures and behaviours; and
• Restore confidence in the organisation’s approach to information security management.

The NIPB said the data breaches will also be a “standing agenda item” on monthly public and private accountability sessions with the chief constable for as long as is necessary, so that “progress on dealing with all the consequences from the breaches, including support mechanisms and risk assessments for police officers and staff, can be tracked and assessed”.

The board said the breaches “have damaged the reputation of the service and impacted the confidence of officers, staff and others in the service’s ability to protect personal information”.

It added: “It is vitally important that confidence is restored in the service from within the officers and staff of PSNI, from the general public, including those who have direct contact with the service, particularly victims of crime and from partner agencies.”

At Tuesday’s meeting, the board agreed that “essential steps were necessary to help rebuild trust and confidence in the PSNI, and provide assurance on the efficacy of PSNI policies and practices in place for handling personal data across the organisation”.

In a statement following the meeting, the NIPB said: “The chief constable retains the confidence of the board to lead the service and the senior team in the wide-ranging programme of work which has been initiated to address all aspects of the data breaches to ensure appropriate support mechanisms are in place for police officers and staff.”

It said the arrangements set out at the meeting “will inject crucial independence to help restore internal and external confidence in the service’s handling of personal information”.

The NIPB added: “The board wants to reach a point where we can assure all PSNI officers and staff and the wider public that every step necessary has been taken to deal with the threats, risks and harms arising from this breach and that everything possible has been done to prevent a recurrence.

“The board will put in place monitoring arrangements to ensure effective implementation of the recommendations flowing from the end-to-end review.

“Recognising the impact of the breaches on PSNI officers and staff, the board engaged on August 8 with representatives of the Police Federation and NIPSA ((Northern Ireland Public Service Alliance) and on August 22 with the wider membership of ‘Your Voice’, which has representatives from all the staff organisations.

“The board will maintain contact over the coming months with the staff representative groups to ensure their views continue to be heard.”

At the meeting on Tuesday, the board also received a detailed update from the PSNI on continuing actions that are being taken following these breaches.

“While much remains to be done, the board acknowledges the comprehensive response that has been mobilised and delivered by PSNI, and would like to place on record thanks to other partner agencies locally and nationally who have offered and provided assistance to PSNI,” the NIPB said.

“The impact of these breaches on officers and staff, as well as on wider public trust, is not under-estimated and will remain at the centre of the board’s efforts as we take forward the actions contained in this statement.

“The board would also like to thank all those across the community who have privately and publicly expressed support and solidarity with the PSNI, and with the officers and staff affected.

“We also wish to record the board’s continued support for officers and staff within the PSNI for the work they do on our behalf.”