Tag: PSNI

Police Service of Northern Ireland Fined £750,000 for GDPR Breach 

The Information Commissioner’s Office has issued a GDPR fine of £750,000 to the Police Service of Northern Ireland (PSNI) for a personal data breach affecting thousands of officers.  

In August 2023, in response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 9,483 PSNI officers and staff, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety. 

The ICO investigation found that simple-to-implement procedures could have prevented the breach. The ICO’s statement said: 

“Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.” 

On 26th June 2024, the ICO announced that it will review the two-year trial before making a decision on the public sector approach in the autumn. The Notice of Intent issued to the PSNI before this fine was issued, was also in the sum of £750,000.  

In August this year, the ICO issued a Notice of Intent £6.09 million to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022. This came after the ICO found that the company failed to adequately protect the personal data of 82,946 individuals. It will be interesting to see if, here too, the actual fine will be the same as the notice. 

ICO Announces £750K Potential Fine for Data Breach

The Information Commissioner’s Office has today announced that it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 for a personal data breach.

The proposed fine (Notice of Intent) relates to an incident  which occurred last summer. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours. At the time the breach was reported, Ibrahim Hasan gave an interview to BBC Radio Ulster (Listen here.)

The ICO says that the proposed fine could be imposed on the PSNI “for failing to protect the personal information of its entire workforce.” It has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate. 

The fact that the ICO is proposing a large fine is not surprising. The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. The PSNI has previously confirmed that the information was in the hands of dissident republicans, among others. 

It is important to note that this is not a fine. It is a ‘Notice of Intent’– a legal document that precedes a potential fine. Such a notice sets out the ICO’s provisional view which may of course change after PSNI makes representations. Remember we have been here before. In July 2018 British Airways was issued with a Notice of Intent, for cyber security breach, in the sum of £183 Million but the actual fine was for £20 million issued in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice.

PSNI has also been issued with a preliminary Enforcement Notice, requiring the Service to improve the security of personal information when responding to FOI requests.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also our Managing Personal Data Breaches Workshop.  

image credits: visitderry.com