Police force data breach
The Information Commissioner’s Office recently announced that it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 for a personal data breach. Ibrahim Hasan examines the decision.
The ICO’s proposed fine (Notice of Intent) relates to an incident which occurred last summer. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours. At the time the breach was reported, I gave an interview to BBC Radio Ulster (Listen here.)
The ICO says that the proposed fine could be imposed on the PSNI “for failing to protect the personal information of its entire workforce.” It has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
The fact that the ICO is proposing a large fine is not surprising. The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. The PSNI has previously confirmed that the information was in the hands of dissident republicans, among others.
It is important to note that this is not a fine. It is a ‘Notice of Intent’– a legal document that precedes a potential fine. Such a notice sets out the ICO’s provisional view which may of course change after PSNI makes representations. Remember we have been here before. In July 2018 British Airways was issued with a Notice of Intent, for cyber security breach, in the sum of £183 million but the actual fine was for £20 million issued in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice.
PSNI has also been issued with a preliminary Enforcement Notice, requiring the Service to improve the security of personal information when responding to FOI requests.
Ibrahim Hasan is a solicitor and director of Act Now Training.
Act Now has two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also its Managing Personal Data Breaches Workshop.