Police force issued with £750k fine for “serious” data breach involving staff data
The Information Commissioner’s Office (ICO) has issued Police Service Northern Ireland (PSNI) with a £750,000 monetary penalty for exposing the personal information of its workforce, after hidden data on a spreadsheet released as part of a FoI request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.
The watchdog said that “simple-to-implement procedures” could have prevented the breach, which led to many “fearing for their safety”.
The ICO’s investigation found that six days following the breach, PSNI announced they were working on the assumption that the file was in the hands of dissident republicans and that it would be used to create fear and uncertainty, and for intimidation.
John Edwards, UK Information Commissioner said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.
“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff. A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.
“Whilst I am aware of the financial pressures facing PSNI, my role as Commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines. I am satisfied, with the application of the public sector approach, this has been achieved in this case.”
In June this year, the ICO revealed it will make a decision in the autumn on its approach to working with public sector organisations, following the end of a two-year trial.
The ICO set out its revised approach in 2022 in an open letter, which indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, “with fines only issued in the most serious cases”.
Had the public sector approach not been applied in this case, the fine would have been £5.6m, the ICO revealed.
Chief Constable Jon Boutcher of Police Service of Northern Ireland said: “Today’s confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing.
“Following the ICO’s announcement in May that they intended to impose a fine and issue an Enforcement Notice we made representations regarding the level of the fine and the requirements in their enforcement notice. While we are extremely disappointed the ICO have not reduced the level of the fine, we are pleased that they have taken the decision not to issue an Enforcement Notice. That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.”
He added: “We continue to progress the recommendations made by the ICO and also the recommendations made by the Independent Review Team who published their findings in December 2023, including the establishment of the Deputy Chief Constable as the Senior Information Risk Owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group, ensuring that information security and data protection matters are afforded the support and attention they critically deserve.
“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”
Lottie Winson