The ICO found that ‘simple-to-implement procedures’ could have prevented the breach.
The UK’s Information Commissioner’s Office has today (3 October) issued a £750,000 fine to the Police Service Northern Ireland (PSNI) for a massive data breach that occurred last year.
The breach, which took place in August 2023, saw the data of the PSNI’s nearly 9,500-strong workforce accidentally published in a Freedom of Information (FOI) request.
This data included the surnames and initials of all PSNI employees, along with their work location and role.
The ICO found that “simple-to-implement procedures” could have prevented the breach.
John Edwards, UK information commissioner, said he couldn’t think of a clearer example to prove how critical it is to keep personal information safe.
“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff,” he said.
“A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.”
The data that was leaked also included details of officers working in sensitive areas, including roughly 40 PSNI staff that are based with MI5.
As part of the investigation, the ICO heard complaints from those who were directly affected by the breach, with some not able to sleep and installing expensive security upgrades to their homes out of fear for their safety.
One person said: “I continually get up through the night when I hear a noise outside to check that everything is OK. I have spent over £1,000 installing modern CCTV and lighting around my home, because of the exposure.”
Another complainant said they had gone to great trouble to ensure they had remained invisible but now they have trouble sleeping and their family is worried about their welfare. “Some of them have told me that they have nightmares about me getting attacked.”
A ‘proportionate, dissuasive fine’
The ICO said it took the PSNI’s financial position into account when calculating the fine as well as not wishing to divert public money from where it was needed.
“The commissioner used his discretion to apply the public sector approach in this case,” the organisation said in a statement. “Had this not been applied, the fine would have been £5.6m.”
The fine was first announced in May this year, along with the intention to issue an enforcement notice, requiring the service to improve the security of personal information when responding to FOI requests.
However, the commissioner ultimately decided that an enforcement notice was no longer required because he felt the PSNI had made the necessary changes to its policies.
Jon Boutcher, chief constable of the PSNI said the fine is “regrettable” as it will further compound the pressure the service is facing.
“While we are extremely disappointed the ICO have not reduced the level of the fine, we are pleased that they have taken the decision not to issue an enforcement notice,” he said.
Edwards said he is aware of the financial pressures facing the PSNI, but his role requires him to issue “proportionate, dissuasive fines” in order to protect people’s information rights.
“Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.