The Information Commissioner’s Office (ICO) has fined the Police Service Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.
This comes after an earlier indication of the impending fine and in response to a major data breach in August of last year, which the ICO said left many staff fearing for their safety.
The regulator’s investigation found that procedures that would have been simple to implement could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a freedom of information request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.
Not wishing to divert public money from where it is needed, the information commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.
Incident details
On 3 August 2023, PSNI received two freedom of information requests from the same person via WhatDoTheyKnow (WDTK). The first asked for “… the number of officers at each rank and number of staff at each grade …”, the second for a distinction between “how many are substantive/temporary/acting …”.
The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system. The data included surnames and first name initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.
As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file.
The original worksheet, containing the personal details, remained unnoticed and this was also not picked up despite quality assurance. The file was subsequently uploaded to the WDTK website at 14:31 hours on 8 August.
Alert timeline
PSNI was alerted to the breach by its own officers at approximately 16:10 hours the same day. The file was hidden from view by WDTK at 16:51 hours and deleted from the website at 17:27 hours.
Six days later, PSNI announced it was working on the assumption that the file was in the hands of dissident republicans and would be used to create fear and uncertainty and for intimidation.
UK Information Commissioner John Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.
“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff. A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.
“Whilst I am aware of the financial pressures facing PSNI, my role as commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines. I am satisfied, with the application of the public sector approach, this has been achieved in this case.
“Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.”
PSNI response
Chris Todd, deputy chief constable at PSNI, said that it has taken action in response to the data breach.
He said: “Today’s confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing.
“This fine will further compound the pressures the service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.
“Following the ICO’s announcement in May that they intended to impose a fine and issue an enforcement notice we made representations regarding the level of the fine and the requirements in their enforcement notice.
“While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an enforcement notice. That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FoI requests.
Disturbing impact
“The personal testimonies serve as a stark reminder of the impact the data loss had on our officers and staff and I know this will once again be to the forefront of their minds.
“As a service we are in a different place today than we were last August and we have continued to work tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We have provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.
“We continue to progress the recommendations made by the ICO and also the recommendations made by the independent review team who published their findings in December 2023, including the establishment of the deputy chief constable as the senior information risk owner (SIRO) and the establishment of a strategic data board and data delivery group, ensuring that information security and data protection matters are afforded the support and attention they critically deserve.
“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”
