If you were to dream up a serious and grotesque data security incident, you could not top the leak of personal data from the Police Service of Northern Ireland (PSNI) last week, writes Mark Rowe.
The week after the news broke, PSNI Chief Constable Simon Byrne said he was ‘confident that the workforce data set is in the hands of dissident republicans’. He said: “It is now a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff. I won’t go into detail for operational reasons but we are working round the clock to assess the risk and take measures to mitigate it.” As a sign of how upsetting the release of personal data is, Mr Byrne had to deny, ‘contrary to commentary circulating’, that the PSNI was seeing ‘any movement of officers or staff out of the organisation’.
How serious
Mainland British readers may not have cause to grasp how serious it is, that the police working on a Freedom of Information Act case released only various data about PSNI people (oddly, Mr Bryne persisted in calling it a ‘breach’, as if the leak was not self-inflicted). Police (and prison officers) were as much targets during the decades-long Troubles as the Army. Police stations resembled prisons, or forts on the North West Frontier: high walls, barbed wire. At home, officers (and their families) would avoid giving away their occupation. While the region has been at peace for 25 years, MI5 rates the threat to Northern Ireland from NI-related terrorism as ‘severe’, that is, greater than the general terror risk to the UK (‘substantial’).
In a regular blog, the business continuity consultant and trainer Charlie Maclean-Bristol has noted the anger expressed by PSNI people at the leak, and the contrast with ‘the lack of outcry’ after other cases, which often means a lack of consequences (Mr Bryne has been resisting any suggestion that he should resign). Which means that data breaches keep happening. Maclean-Bristol wrote: “Hopefully, this incident prompts greater caution in data handling and the prevention of accidental releases.” He concluded that unless those impacted by data breaches raise their voices and hold organisations accountable, breaches will persist; media interest wanes when there’s no new information to feed the story. We can add: any failures get swept under the carpet; people stay in jobs, pensions are protected; everyone moves on to the next foul-up.
This PSNI case may be an exception to that rule. If you are notified that your financial details have been hacked, you can change your banking passwords. Although it takes time, it’s less trouble than if those in Northern Ireland with hatred of the police as authority figures use the leaked data to assault or harass – or, such is the power of the online world, merely to place online that someone works for the police, who has chosen not to advertise that in their private life. Such a breach of privacy is not something you can repair like a debit card.
In the PSNI workforce as in a marriage, when secrets are let out without permission, trust is lost, and it’s hard to repair. When credit card or other financial info about someone is lost, whether by a law firm or a utility, the business that has had the data stolen may well email those whose data they have not been able to keep secure, and apologise and offer a credit check service. While the business may be complying with data protection rules as ruled over by the watchdog the ICO, no amount of words and offers go any way to answering the worry nagging of those who’ve been compromised, not knowing if or when a criminal might make use of what’s lost.
At the ICO, John Edwards, the Information Commissioner, has expressed his ‘serious concerns’ and said that the ICO is investigating. In a statement he said correctly that ‘even the smallest of human errors can have major consequences’; however, we can add that as the ICO since last year has stated a policy of giving no more than ‘warnings, reprimands and enforcement notices’ to the public sector, and issuing fines only in the most serious cases, it remains to be seen if PSNI will get fined. As if a fine would make things better.
Photo by Mark Rowe; street art, Belfast city centre.
