PSNI faces £750,000 fine for massive data breach last year

23 May 2024

Image: © Stephen/Stock.adobe.com

The PSNI accidentally shared data about its 9,483 officers and staff last year, leading to some having to move house, cut contact with family members and face a ‘tangible fear of threat to life’.

The Police Service of Northern Ireland (PSNI) is facing a fine of £750,000 for a data breach last year that impacted its entire workforce.

The PSNI revealed last August that details of its entire workforce – nearly 9,500 individuals – was published accidentally in response to a Freedom of Information request. This data included the surnames and initials of all PSNI employees, along with their work location and role.

There were also reports that the leaked data included staff members working in sensitive areas, including 40 PSNI staff that were based with the UK’s MI5 agency. The PSNI said this breach occurred due to simple “human error”.

The UK’s data watchdog – the Information Commissioner’s Office (ICO) – investigated the breach and has provisionally found that the PSNI’s internal procedures and sign-off protocols for disclosing information were “inadequate”.

“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be,” said UK information commissioner John Edwards.

“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.”

Edwards said it is “troubling” that simple policies and procedures would have prevented this “potentially life-threatening incident”. He added that the breach caused “untold anxiety and distress” to those impacted and their families.

The ICO said it applied the public sector approach when calculating the fine – as it did not want to divert public money from where it is needed most. Without this approach, the ICO says the provisional fine would have been set to £5.6m.

“I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them,” Edwards said.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com