The Police Service of Northern Ireland (PSNI) would have faced a crippling fine of £5.6m for a serious data breach last year had the regulator not adopted a new policy towards public sector bodies, according to the Information Commissioner’s Office (ICO).
The data protection watchdog instead today issued a fine of £750,000 to the PSNI for failing to protect highly sensitive information on its workforce.
In a much-publicized incident last year, human error led to the publication online of a spreadsheet containing the surname, initials, rank and role of all 9483 serving PSNI officers and staff.
Crucially, this included the details of individuals working in sensitive areas like surveillance and intelligence – raising concerns over the safety of officers and their families.
Read more on ICO fines: ICO Slashes Government Data Breach Fine
The information was published in an Excel spreadsheet on FOI website, What Do They Know? for over two hours, and was subsequently copied and distributed.
It was hidden in a pivot table, a mistake made on other occasions in NHS data breaches. The ICO subsequently ordered public authorities to stop publishing FOI data via spreadsheets.
Four men were arrested on terror charges, and on suspicion of collection of information likely to be useful to terrorists, following the data leak – indicating the seriousness of the incident.
The breach came a few months after the UK government raised the threat level for Northern Ireland-related terrorism from “substantial” to “severe” due to increased targeting of police officers in the region.
A Perfect Storm
Information commissioner, John Edwards, described the incident as a “perfect storm of risk and harm” and said it showed just how harmful poor data security can be.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life,” he explained.
“What’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.”
The ICO’s reduced fine is part of a two-year policy for public sector enforcement whereby the regulator uses its discretion to minimize the impact of fines on the public.
Alongside the fine, the PSNI has been issued with a preliminary enforcement notice, requiring it to improve the security of personal information when responding to FOI requests.