Northern Ireland Police Data Leak Sees Service Fined by ICO

Written by

The Police Service of Northern Ireland (PSNI) has been criticized for procedural failings that exposed the personal data of its officers and other staff.

Meanwhile, a fine of £750,000 ($984,000) has been issued by the Information Commissioner’s Office (ICO).

The data protection watchdog highlighted the significant harm and distress caused to personnel by the incident, including fears around officers’ safety.

It also said that simple-to-implement procedures could have prevented such a serious data breach.

The ICO’s policy of using its discretion to minimize financial penalties for the public sector meant that the PSNI avoided a penalty figure of £5.6m ($7.3m).  

The incident occurred in August 2023 and saw the personal data of 9483 PSNI officers and staff exposed within a spreadsheet published online following a freedom of information (FoI) request.

In May 2023 the ICO revealed its intention to fine the PSNI for the incident. However, plans to issue an enforcement notice have been dropped.

Read now: ICO Reprimands London Council for Mass Data Breach

Breach Caused Fear and Uncertainty

UK Information Commissioner, John Edwards, emphasized the “fear and uncertainty” the avoidable breach caused PSNI officers and staff.

The breach included information about officers working in highly sensitive areas like surveillance and intelligence.

“I cannot think of a clearer example to prove how critical it is to keep personal information safe,” said Edwards.

“A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed,” he added.

The ICO highlighted personal testimonies from staff on the impact of the breach on their lives.

This included one PSNI officer being forced to leave the service and others expressing fears over potential threats to them and their families from paramilitary groups and wider criminal circles. These fears led them to invest in expensive personal security measures.

PSNI Improvements to Data Security Practices

Responding to the ICO announcement, Jon Boutcher, Chief Constable at the PSNI, expressed disappointment at the fine, stating it would add to the pressures the service is facing.

He added that the service is progressing on recommendations made by the ICO and an independent review team on improving data security practices.

This includes the establishment of the Deputy Chief Constable as the Senior Information Risk Owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group.

“The personal testimonies serve as a stark reminder of the impact the data loss had on our officers and staff and I know this will once again be to the forefront of their minds,” said Boutcher.

“As a service we are in a different place today than we were last August and we have continued to work tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We have provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits,” he added.

Image credit: Min Jing / Shutterstock.com

What’s hot on Infosecurity Magazine?