PSNI facing £750,000 fine for data breach that exposed personal information of its entire workforce

The proposed fine relates to an incident in which personal information – including surname, initials, rank and role of all 9,483 serving PSNI officers and staff – was included in a ‘hidden’ tab of a spreadsheet published online in response to a Freedom of Information (FoI) request.

The Information Commissioner said the data breach created a “perfect storm of risk and harm” and brought “tangible fear of threat to life”.

The ICO investigation has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.

Announcing his decision on Thursday (May 23), Information Commissioner John Edwards said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.

“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.

“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.

“I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”

In September 2023, following the report from the PSNI and reports of a number of other high-profile personal data breaches, the Commissioner issued an advisory notice, which provided recommendations public authorities should adopt to ensure personal information is not inappropriately included as part of a freedom of information response.

Recognising that public money is best used to support the delivery of essential services, the Commissioner used his discretion to apply the public sector approach when calculating the PSNI provisional fine amount.

The aim of the approach is to ensure public money is not diverted away from where it is needed most, while maintaining the right to issue fines in the most serious of cases. Had the public sector approach not been applied, this provisional fine would have been set at £5.6 million.

The PSNI has also been issued with a preliminary enforcement notice, requiring the Service to improve the security of personal information when responding to FoI requests.

The Commissioner’s findings are provisional, and he will carefully consider any representations PSNI makes before making a final decision on the fine amount and the requirements in the enforcement notice.

Commenting on the announcement, PSNI Deputy Chief Constable Chris Todd said: “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice. We will now study both documents and are taking steps to implement the changes recommended.

“Today’s announcement by the ICO that they intend to fine us £750,000 following the data loss of August 8, 2023, is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change.

“We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.”

He added: “The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again.

“Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.

“In December 2023 a payment of up to £500 was made available to each individual in the organisation whose name was contained on the data set released in reimbursement for equipment or items purchased by those individuals against their own particular safety needs – 90 per cent of officers and staff took up this offer of financial support.

“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues.  Detectives have conducted numerous searches and have made a number of arrests as part of this investigation.”

Mr Todd said following the data loss, an Independent Review was jointly commissioned by the Northern Ireland Policing Board and the PSNI into the circumstances surrounding loss.

“The review published its findings in December and made 37 recommendations that we are now progressing,” he said. “Fourteen of these have already been implemented with the establishment of the deputy chief constable as the senior information risk owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group. This will ensure that information security and data protection matters are afforded the support and attention they critically deserve.

“The recommendations made now by the ICO reflect some of these already being progressed.

“Work is ongoing to update current policies and develop a new Service Instruction as recommended by the ICO. Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”

The Police Federation for Northern Ireland (PFNI) said it welcomed the ICO’s provisional findings report into the unprecedented PSNI data breach.

PFNI chair Liam Kelly said: “The provisional fine of £5.6 million reflects the gravity of the breach which exposed the surname, initials, rank and role of all officers and staff. The Commissioner has decided to use his public sector approach discretion to reduce this to potentially £750,000.

“The ICO has clearly considered the parlous state of the PSNI, which once again faces massive under-funding. In the context of what penalty could have been applied, I have to say the PSNI got off lightly and I welcome that fact.

“However, I’m sure that £750,000 could have been put to better use within the workplace and supporting local community projects. I support the PSNI in making this case before the ICO finalises its decision.

“The ICO has confirmed there were dangerous failings to protect personal information and a shocking absence of protocols for the safe disclosure of information.

“The Commissioner acknowledges the ‘many harrowing stories’ investigators heard about the impact of ‘this avoidable error’. Pointing up situations where people felt they had to move house, cut off ties with family members and completely alter daily routines underline the seriousness of what happened.

“There was, as the ICO says, ‘tangible fear of threat to life’ and it’s clear from this damning report that there was no holding back or minimising what officers and staff were confronted with as a result of personal information reaching the public domain.

“A preliminary enforcement notice has also been issued by the ICO. Thankfully, as a result of the external review process following the data breach, the principal issues have already been identified and PSNI has either completed or made solid progress in concluding the remedial work required in relation to its systems and processes.

“This kind of egregious error can never be allowed to happen again and that must mean the organisation ensures watertight data defences are in place and that they operate the most stringent possible processes and protocols in the future.”