Mat Hayward - stock.adobe.com
Northern Ireland police face £750,000 fine after data protection blunder put lives at risks
Information commissioner John Edwards uses discretion to reduce proposed fine from £5.6m to £750,000
Northern Ireland’s police service faces a £750,000 fine from the data protection regulator after mistakenly disclosing the names of all serving officers and staff in a spreadsheet published online.
The data breach by the Police Service of Northern Ireland (PSNI), described as the most significant in the history of UK policing, is understood to have led to the personal data of police officers and staff falling into the hands of dissident republic groups.
The information commissioner said the breach had led to police employees having to move house or cut themselves off from family members because of “tangible concerns of loss of life”.
The proposed fine follows the PSNI’s accidental publication of the surnames, initials, rank and roles of all 9,483 service PNSI officers and other staff in a “hidden” tab of a spreadsheet published online in response to a freedom of information (FOI) request in August 2023.
The ICO has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information to be inadequate.
John Edwards, the UK information commissioner, said it was troubling that simple, practical-to-implement policies could have prevented the potentially life-threatening incident.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life,” he said.
The publication of the names, ranks and roles of PSNI’s serving officers had caused “untold anxiety and distress to those directly affected as well as their, families, friends and loved ones”.
Edwards said he had used his discretion to reduce the size of the proposed fine to protect public sector finances, which would otherwise have been set at £5.6m.
PSNI deputy chief constable Chris Todd said the fine was “regrettable” given the PSNI’s significant financial deficit.
He said the breach had had a lasting impact on the individuals affected.
“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation,” he said.
The PSNI has provided significant crime prevention advice to officers and staff and their families, through online tools, advice clinics and home visits.
It has also made payments of up to £500 to PSNI employees whose names were disclosed in the breach for equipment or items bought by individuals to support their own safety needs – an offer that was taken up by 90% of officers and staff.
An independent review commissioned by the Northern Ireland Policing Board and the PSNI found, among other failings, that the PSNI had a culture that branded data protection as too complex, niche and somebody else’s problem.
The report, published in December 2023, made 37 recommendations, of which 14 have now been implemented. They include establishing the deputy chief constable as senior information risk owner and the creation of a Strategic Data Board and Data Delivery Group. The PSNI is also updating its policies.
“Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future,” said Todd.
The Information Commissioner’s Office has issued the PSNI with a preliminary enforcement notice requiring the police service to improve the security of personal information when responding to FOI requests.
More on the PSNI’s data breach
The August 2023 data breach at the Police Service of Northern Ireland arose chiefly from an outdated approach to data protection and compliance at the force, according to an independent review
Human error is being blamed for the leak of personally identifiable information on all serving officers and civilian staff at the Police Service of Northern Ireland
Just hours after accidentally disclosing the personal details of 10,000 personnel, the Police Service of Northern Ireland has notified a second data breach after a police issue laptop and documents were stolen from a parked car
Read more on Privacy and data protection
-
Police accessed phone records of ‘trouble-making journalists’
-
BBC instructs lawyers over allegations of police surveillance of journalist
-
Report reveals Northern Ireland police put up to 18 journalists and lawyers under surveillance
-
PSNI criticised after ‘utterly vague’ answers on covert surveillance of journalists