23/05/2024

PSNI To Be Fined £750,000 For Major Data Breach

The PSNI is to be fined £750,000 following a data breach that exposed the personal information of all serving officers and police staff.

The Information Commissioner's Office (ICO) has issued the fine for the PSNI's failure to protect the personal information of its entire workforce.

In the incident personal information – including surname, initials, rank and role of all 9,483 serving PSNI officers and staff – was included in a "hidden" tab of a spreadsheet published online in response to a freedom of information request. The ICO investigation has provisionally found the PSNI's internal procedures and sign-off protocols for the safe disclosure of information were inadequate.

John Edwards, UK Information Commissioner, said: "The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.

"Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people's lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.

"And what's particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.

"I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them."

Commenting on the announcement that the ICO intends to fine the PSNI, Deputy Chief Constable Chris Todd said: "We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice.  We will now study both documents and are taking steps to implement the changes recommended.

"Today’s announcement by the ICO that they intend to fine us £750,000 following the data loss of 8 August 2023 is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change. We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.

"The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again.  Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.

"In December 2023 a payment of up to £500 was made available to each individual in the organisation whose name was contained on the data set released in reimbursement for equipment or items purchased by those individuals against their own particular safety needs. 90% of officers and staff took up this offer of financial support.

"An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation.

"Following the data loss an Independent Review was jointly commissioned by the Northern Ireland Policing Board and the Police Service of Northern Ireland into the circumstances surrounding loss. The review published its findings in December and made 37 recommendations that we are now progressing. Fourteen of these have already been implemented with the establishment of the Deputy Chief Constable as the Senior Information Risk Owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group. This will ensure that information security and data protection matters are afforded the support and attention they critically deserve. The recommendations made now by the ICO reflect some of these already being progressed.

"Work is ongoing to update current policies and develop a new Service Instruction as recommended by the ICO.  Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future."

Related Northern Ireland News Stories
Click here for the latest headlines.

11 August 2023
PSNI Must Focus On Protection Of Officers And Staff – SDLP
The PSNI must focus on the protection of officers and staff and rebuilding public confidence, SDLP Policing Board Member Mark H Durkan MLA has said. Mr Durkan participated in a Policing Board meeting with Chief Constable Simon Byrne and the PSNI's Service Executive Team.
17 August 2023
Man Arrested Following Investigation Linked To PSNI Data Breach
A man has been arrested as part of an investigation linked to a major PSNI data breach. The 39-year-old has been detained after he was arrested following a search in Lurgan, Co Armagh. He was arrested on suspicion of of collection of information likely to be of use to terrorists.
10 August 2023
PSNI Reveals Further Data Breach In July Theft
The PSNI has revealed a further data breach in the theft of a laptop and radio on 6th July.
15 August 2023
UUP Questions Details Of 6th July Theft Of Police Data
The Ulster Unionist Party has called on PSNI Chief Constable, Simon Byrne, to clarify information on a 6th July theft of personal police officer information. A spreadsheet, containing the personal details of some 200 officers and police staff, a police laptop and radio, were stolen from an officers personal vehicle in the Newtownabbey area.
09 August 2023
Investigation Launches Into PSNI Data Breach
An investigation has been launched after the names of all serving PSNI officers and civilian staff, alongside their role and where they are based, were mistakenly published online. It is understood that the personal details were included in a response to a Freedom of Information (FOI) Request.