The Police Service of Northern Ireland faces a provisional £750,000 fine for last summer’s data breach, which the Information Commissioner described as a ‘perfect storm of risk and harm’.
Had the data breach happened in the private sector, the provisional fine could have been £5.6 million.
On 8 August 2023, in response to a freedom of information (FOI) request, the personal information – including surname, initials, rank and role but not the address of all 9,483 serving PSNI officers and staff – was included in a hidden tab of a spreadsheet published online.
The Northern Ireland Police Federation, which represents rank-and-file officers, expressed “anger and dismay” at the PSNI data breach.
The Information Commissioner’s investigation provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
Data breach fines
Interserve fined £4.4m following employee data breach
Amazon fined €32m for ‘excessive’ employee monitoring
Morrisons data breach: Could the supermarket have done more?
John Edwards, the UK Information Commissioner, said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.
“What’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.”
The commissioner said he used discretion to apply a public sector approach when calculating the provisional fine to ensure public money is not diverted from where it is most needed, while maintaining the right to issue fines in the most serious cases.
Had the public sector approach not been applied, the Information Commissioner’s Office (ICO) said the provisional fine would have been set at £5.6 million.
PSNI said it would make representations to explain that the force cannot afford a £750,000 fine. It has 28 days to respond.
Deputy Chief Constable Chris Todd said: “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice. We will now study both documents and are taking steps to implement the changes recommended.”
He described the intended fine as “regrettable”, given PSNI’s significant financial constraints. “We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice,” he said.
In December 2023 payments of up to £500 were made available to each individual affected by the data breach to fund home security equipment – 90% of officers and staff took up the offer.
The PSNI data breach led to the resignation of Simon Byrne, then chief constable.
Edwards added: “I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”
In September 2023, following the report from the PSNI and reports of a number of other high-profile personal data breaches, the commissioner issued an advisory notice providing recommendations for public bodies to ensure personal information is not inappropriately included as part of an FOI response.
Last month, around half of officers and staff commenced legal action against the police service. Three test cases for a liability-only hearing have been listed for 26 June.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
HR opportunities in the public sector on Personnel Today
Browse more HR opportunities in the public sector
