PSNI faces £750,000 fine over 'unprecedented' data breach
Last updated 22nd May 2024
The PSNI is facing a £750,000 fine for failing to protect the personal information of its workforce.
The service described the fine as "regrettable" given the financial pressures it faces as it highlighted measures it has taken since personal details of thousands of officers were released online.
Data relating to all 9,483 PSNI officers and staff was included in a spreadsheet published online last August in response to a freedom of information request.
The list included the surname and first initial of every employee, their rank or grade, where they are based and the unit in which they work.
Police later said the information had got into the hands of dissident republicans.
In the aftermath of the leak, some officers chose to relocate their homes, cut contact with family members, and change daily routines.
The fine has been proposed by the Information Commissioners Office (ICO), which said the breach was a "potentially life-threatening incident" which caused "untold anxiety and distress".
However, the ICO said it was using discretion to significantly reduce the fine to ensure public money is not diverted from other areas of need.
Had the public sector approach not been applied, this provisional fine would have been set at £5.6 million.
The ICO investigation has provisionally found the PSNI's internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
The controversy contributed to the resignation of then-chief constable Simon Byrne and led the PSNI and Policing Board to commission a review.
Mr Byrne's successor said the error, which could potentially cost £240 million in security and compensation payouts, was due to a systems failure.
PSNI Chief Constable Jon Boutcher also said no disciplinary action is being taken against anyone involved.
Announcing the fine, UK Information Commissioner John Edwards said: "The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm - and show how damaging poor data security can be.
"Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people's lives - from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.
"And what's particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place."
The PSNI has also been issued with a preliminary enforcement notice which requires it to improve the security of personal information when responding to FOI requests.
The Commissioner's findings are provisional, and his office is to consider any representations PSNI make before making a final decision on the fine amount and the requirements in the enforcement notice.
Reacting to the fine, deputy chief constable Chris Todd said the the PSNI accepted the notice to impose the penalty and is taking steps to implement recommend changes.
In a statement, he said: "Today's announcement by the ICO that they intend to fine us £750,000 following the data loss of August 8 2023 is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change.
"We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice."
He said the service had "worked tirelessly" to introduce measures for affected officers and staff, including crime prevention advice.
Mr Todd said 90% of named individuals in the data set took up an offer of £500 towards equipment or items for their own particular safety needs.
He added: "An investigation to identify those who are in possession of the information and criminality linked to the data loss continues.
"Detectives have conducted numerous searches and have made a number of arrests as part of this investigation."
The PSNI's oversight body said it is awaiting an update on the implementation of recommendations it made in the wake of the data breach.
Following a meeting with the ICO, the chair of the NI Policing Board said: "The Board remains profoundly aware of the personal and professional impact that the 8 August data breach has had on officers and staff.
"The Board has continued to engage with both PSNI and staff associations over the last nine months to assess the ongoing effects of the breach and we welcome the actions taken by PSNI to mitigate the immediate impact and support those affected."
Mukesh Sharma added: "The board will continue to monitor the timely implementation of these recommendations alongside any additional recommendations made by the Information Commissioner's Office."
Mr Todd said 14 of the 37 recommendations have been implemented, including the establishment of a Strategic Data Board and Data Delivery Group as well as his new role as Senior Information Risk Owner.