A major data breach at the Police Service of Northern Ireland (PSNI) was caused by a combination of factors and a lack of proactive action to ensure security, according to a newly published report on the incident.
The Northern Ireland Policing Board has published a review of the data breach in August, which involved the names and work locations of all its officers and civilian staff being mistakenly posted on its website for a few hours after a freedom of information request.
It says that an investigation of the details of the incident have shown the breach was not caused by a single act or decision by any one person, but a consequence of many factors, and the PSNI not having taken opportunities to better protect its data and identify risks in advice.
At the time of the incident these factors had not been identified by any audit, risk management or scrutiny mechanism.
No strategy
The document points out that there has been no force programme or strategy for data, an inconsistent approach among information asset owners and an insufficient response to risk at tactical and operational levels.
There is also no comprehensive standard operating procedure for handling freedom information requests – which are widely used by PSNI officers and staff – and the Data Protection Act of 2018 is still not fully embedded. In addition, the HR systems and processes need further attention to embed higher standards of data security.
The document provides a series of recommendations, including: regular audits of data functions; a repositioning of the role of senior responsible information risk owner; a review or risk registers relating to data assets; a review and deduplication of documentation; and a review of information assurance processes.
It adds that PSNI is not alone among police forces in the shortcomings identified.
NPCC response
In response to the review, the National Police Chiefs’ Council’s information assurance lead, Commissioner Peter O’Doherty, commented: “The volume of data managed, processed, and stored by policing is vast and continues to increase, both in terms of volume and complexity.
“Furthermore, policing holds the most sensitive of data and information and so it is essential that all police forces foster a robust and highly committed approach to data and information management and security, and ensure we have the leadership, governance, structures, and systems in place to protect the institution of policing and everyone who is part of it and effected by it.”