PSNI data breach: £750k fine confirmed by ICO

The PSNI has been fined £750,000 for a major data breach which involved the personal information of some 9,500 staff and officers accidentally released.

In announcing the penalty, the Information Commissioner's Office said "simple-to-implement" procedures could have prevented it.

The ICO had previously announced its intention in May to fine the organisation £750,000 and the announcement today (Thursday) is confirmation of the final figure.

However, Chief Constable Jon Boutcher said they were "extremely disappointed" the level of the fine was not reduced - "given he financial constraints we are currently facing."

The breach happened in August 2023, when a spreadsheet released as part of a freedom of information request held hidden data with the initials, surname, rank and role of all 9,483 PSNI officers and staff.

Police later said the information had got into the hands of dissident republicans.

In the aftermath of the leak, some officers chose to relocate their homes, cut contact with family members, and change daily routines.

The UK data regulator said that the fine should have been £5.6 million, but as it was "mindful" of the financial constraints faced by the PSNI, it used its discretion to reduce the total amount.

The ICO investigation found that the breach caused anxiety and distress for PSNI staff and officers, with some stating that they had left the organisation or lost sleep due to concern about their safety.

UK Information Commissioner John Edwards said it was "a lack of simple, internal processes" that led to the "particularly egregious breach".

He said it served as "a lesson for all organisations" to check their process around data protection.

Mr Edwards said: "I cannot think of a clearer example to prove how critical it is to keep personal information safe.

"It is impossible to imagine the fear and uncertainty this breach - which should never have happened - caused PSNI officers and staff.

"A lack of simple internal administration procedures resulted in the personal details of an entire workforce - many of whom had made great sacrifices to conceal their employment - being exposed.

"Whilst I am aware of the financial pressures facing PSNI, my role as commissioner is to take action to protect people's information rights and this includes issuing proportionate, dissuasive fines. I am satisfied, with the application of the public sector approach, this has been achieved in this case."

Deputy Chief Constable Chris Todd said he wanted to acknowledge the impact the breach had, which was "difficult" for staff and officers.

Asked about what the total costs would be, Mr Todd said that a universal payment of up to £500 for individual security measures for staff and officer had cost £3.4 million.

He said that around 7,000 claimants had taken legal action against the organisation over the breach, which he said would be "the biggest chunk of expenditure".

"In June, that process went before the courts and we accepted liability, so that was committed to in June and the courts are now working through that process to determine how much exactly that will be," he said.

He said the £750,000 fine will "add to pressures" on "woefully underfunded" police services.

"We made the representations obviously hopeful that there might be an adjustment," he said, adding that they would not be appealing the amount.

PSNI Chief Constable Jon Boutcher said that the service was "in a different place today than we were last August".

He said that "tireless" work continues to "devalue" the compromised dataset, and "significant" crime prevention advice has been offered to officers and staff.

He added: "Today's confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing.

"This fine will further compound the pressures the service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year."

He said: "While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an Enforcement Notice.

"That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.

"Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future."

The Police Federation for Northern Ireland (PFNI) said it was "disappointed" at the £750,000 fine on an "already cash-strapped" organisation.

PFNI chairman Liam Kelly said the breach caused "widespread understandable distress and concern" and forced people to re-think their personal security.

He added: "A fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation. Even though provision was made for most of this last year, there is still a hefty sum of money to come out of the current budget.

"We're disappointed that our submissions on the level of the fine were not fruitful.

"We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local Councils.

"We're grateful the Information Commissioner's Office applied discretion on the level of fine to be imposed which would have been £5.6 million. Had that happened, I have no doubt that immense harm would have been caused to the Service and the range of services the public have a right to expect."

Mwanwhile, The Police Federation for Northern Ireland said it too was disappointed at the level of the fine

PFNI Chair Liam Kelly said: “The breach involved the release of surnames, initials, rank and role of officers. It caused widespread understandable distress and concern and forced a major re-think of personal security.

“A fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation. Even though provision was made for most of this last year, there is still a hefty sum of money to come out of the current budget.

“We’re disappointed that our submissions on the level of the fine were not fruitful.

“We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local Councils.

“We’re grateful the Information Commissioner’s Office applied discretion on the level of fine to be imposed which would have been £5.6 million. Had that happened, I have no doubt that immense harm would have been caused to the Service and the range of services the public have a right to expect.”