THE Police Service of Northern Ireland (PSNI) is facing a £750k fine for a spreadsheet error which saw the personal details of its entire workforce publicly exposed.
The major data breach, which occurred last summer, saw personal information – including surname, initials, rank and role of all 9,483 serving PSNI officers and staff – included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request.
Following the breach, which happened last August, the PSNI confirmed that the sensitive information had fallen into the hands of dissident republicans among others.
Today the Information Commissioner’s Office (ICO) has announced its intention to fine the police service £750k “for failing to protect the personal information of its entire workforce”.
Stating that the breach brought “tangible fear of threat to life” the ICO confirmed the event created the “perfect storm of risk and harm” due to poor data security and added that their investigation found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were “inadequate”.
Speaking as their findings were announced, John Edwards, UK Information Commissioner, said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.
“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.”
He added: “I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”
Mr Edwards also revealed that while the potential fine is provisional – allowing time for the PSNI to respond – the fine could have been £5.6m.
He claims the ICO used discretion to significantly reduce the penalty to ensure public money in Northern Ireland is not diverted from where it is most needed.
Responding to the ICO announcement, the PSNI has accepted their failings in the data breach, but claims they are not in a position to pay out £750k.
“We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice,” the PSNI’s Deputy Chief Constable Chris Todd said today.
“We will now study both documents and are taking steps to implement the changes recommended.”
He added: “Today’s announcement by the ICO that they intend to fine us £750k following the data loss of August 8, 2023, is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change.
“We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.”
The PSNI’s preliminary enforcement notice requires the force to improve the security of personal information when responding to FOI requests.
Dep Chf Con Todd today highlighted the measures that have been put in place to mitigate the risk of the data breach to its staff members and the work they have undertaken to improve data handling within the force.
“The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again,” he said.
“Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff.
“We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits,” he explained.
“In December 2023 a payment of up to £500 was made available to each individual in the organisation whose name was contained on the data set released in reimbursement for equipment or items purchased by those individuals against their own particular safety needs – 90% of officers and staff took up this offer of financial support.
“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues and detectives have conducted numerous searches and have made a number of arrests as part of this investigation.”
He added: “Following the data loss an Independent Review was jointly commissioned by the Northern Ireland Policing Board and the Police Service of Northern Ireland into the circumstances surrounding loss.
“The review published its findings in December and made 37 recommendations that we are now progressing.
“Fourteen of these have already been implemented with the establishment of the Deputy Chief Constable as the Senior Information Risk Owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group.
“This will ensure that information security and data protection matters are afforded the support and attention they critically deserve. The recommendations made now by the ICO reflect some of these already being progressed.
“Work is ongoing to update current policies and develop a new Service Instruction as recommended by the ICO.
“Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”