PSNI facing £750k fine over data breach
The PSNI is facing a £750,000 fine over the data breach which saw the personal information of all serving police officers and staff published online.
Announcing its provisional decision yesterday, the Information Commissioner’s Office (ICO) said that, had the PSNI not been a public body, the fine would have been to the tune of £5.6 million.
This is because of the ICO’s new public sector approach, announced by information commissioner John Edwards two years ago, which aims to reduce the impact of fines on the public purse.
The PSNI’s data breach saw the surname, initials, rank and role of all 9,483 serving PSNI officers and staff included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request.
The ICO’s investigation has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
Mr Edwards said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm — and show how damaging poor data security can be.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives — from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.
“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.
“I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”
In a statement, the ICO said: “The commissioner’s findings are provisional, and he will carefully consider any representations PSNI make before making a final decision on the fine amount and the requirements in the enforcement notice.”
The PSNI is separately facing legal action over the data breach, with three test cases listed for hearing on liability only on 26 June 2024.