News Hub

UK Information Commissioner’s Office proposes £750k fine for PSNI over data breach

Written by Mon 27 May 2024

The UK Information Commissioner’s Office (ICO) has announced it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 ($955,687) for failing to protect the personal information of its workforce.

The proposed fine is for an incident where personal information of 9,483 PSNI officers and staff, including surnames, initials, ranks, and roles, was accidentally published online in a hidden tab of a spreadsheet. 

The ICO’s investigation has provisionally found the PSNI’s internal procedures and sign-off protocols for information disclosure were inadequate.

UK Information Commissioner, John Edwards said the nature of this breach created a ‘perfect storm of risk and harm’, showing how damaging poor data security can be. Edwards added the ICO heard ‘many harrowing stories’ about the impact of the avoidable error which caused people to move house and alter their daily routines due to a ‘tangible fear of threat to life’.

“What is particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place,” said Edwards.

ICO Issues Recommendations

In September 2023, after receiving reports from the PSNI and other high-profile data breaches, the Commissioner issued recommendations to help public authorities prevent the inappropriate inclusion of personal information in freedom of information (FOI) responses.

To ensure public funds support essential services, the Commissioner applied the public sector approach in calculating the PSNI’s provisional fine. This method ensures fines are only issued in the most serious cases, preventing unnecessary diversion of public money. Without this approach, the provisional fine would have been £5.6 million ($7.1 million)

The PSNI has also received a preliminary enforcement notice to improve the security of personal information in their FOI responses.

PSNI Responds to Fine

Deputy Chief Constable of the PSNI, Chris Todd, said the PSNI accepts the findings in the ICO’s Notice of INtent and acknowledged the learning highlighted in their Preliminary Enforcement notice.

“Today’s announcement by the ICO .. is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change,” said Todd.

Todd added that the PSNIwill make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.

The Deputy Chief Constable said the report emphasised the lasting impact of the data loss on the PSNI’s officers and staff which the announcements brings into the fore again.

PSNI Review Continues

Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff.

The PSNI provided crime prevention advice to its officers, staff, and their families through online tools, advice clinics, and home visits. They also offered up to £500 ($637) to each individual whose name was included in the released data set, reimbursing them for safety-related equipment or items they purchased. 90% of officers and staff accepted this financial support.

The investigation to identify those in possession of the leaked information and any related criminal activity is ongoing, with numerous searches and arrests already made. 

Following the data loss, an Independent Review commissioned by the Northern Ireland Policing Board and the PSNI made 37 recommendations, 14 of which have been implemented, including appointing the Deputy Chief Constable as the Senior Information Risk Owner and establishing a Strategic Data Board and Data Delivery Group.

In September, the data leak resulted in Chief Constable Simon Byrne’s resignation and two additional arrests linked to the incident. Byrne resigned with immediate effect after losing a vote of no confidence from the Democratic Unionist Party (DUP).

Join Tech Show London

12-13 March 2025, ExCeL London

Be a part of the latest tech conversations and discover pioneering innovations.

You won’t want to miss one of the most exciting technology events of the year.

Written by Mon 27 May 2024

Send us a correction Send us a news tip