Case Studies

PSNI faces ICO fine for ‘harrowing’ data leak

by Mark Rowe

The Police Service of Northern Ireland (PSNI) faces a £750,000 fine for failing to protect the personal information of its workforce in a self-inflicted September 2023 leak, the data privacy watchdog the ICO has stated.

John Edwards, UK Information Commissioner, said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be. Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.

“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.” Mr Edwards highlighted ‘the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them’.

Background

As featured in the March edition of Professional Security Magazine, the personal information – surname, initials, rank and role of all 9,483 serving PSNI officers and staff – was included in a “hidden” tab of a spreadsheet published online in response to a Freedom of Information (FoI) request.

The ICO has explained carefully how it’s reached that sum, given that (as it acknowledges) public money is best used to support the delivery of essential services. The ICO says that the Commissioner used his discretion to apply the ‘public sector approach’ when calculating the PSNI provisional fine. The aim; that public money is not diverted away from where it is needed most, while maintaining the right to issue fines in the most serious of cases. Had the public sector approach not been applied, this provisional fine would have been set at £5.6m, according to the ICO. The watchdog has issued PSNI a preliminary enforcement notice, requiring the service to improve the security of personal information when responding to FoI requests.

What PSNI say

PSNI Deputy Chief Constable Chris Todd said: “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice. We will now study both documents and are taking steps to implement the changes recommended.” He described the £750,000 as ‘regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change. We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.’

He added that in December a payment of up to £500 was made available to each individual in the organisation whose name was contained on the data set released in reimbursement for equipment or items purchased by those individuals against their own particular safety needs. Some 90pc of officers and staff took up the offer.

An Independent Review, jointly commissioned by the Northern Ireland Policing Board and PSNI into the data loss, published its findings in December and made 37 recommendations that PSNI are now progressing, he added.

Photo by Mark Rowe; CCTV at Bangor police station perimeter, Northern Ireland.

Related News

  • Case Studies

    Stadium radios

    by Mark Rowe

    Digital Mobile Radios (DMR) have been selected by the AJ Bell Stadium in Salford, home to the Salford Red Devils Rugby League…

  • Case Studies

    Scam latest

    by Mark Rowe

    Scammers are targeting the public by telephone scam, says the Chartered Trading Standards Institute (CTSI). The scam involves a caller claiming to…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing