PSNI facing £750k fine over huge data breach
‘Tangible threat to life’ was identified by watchdog after details of 10,000 police officers were published online
THE PSNI is set to face a £750,000 fine after last year’s huge data breach, which saw details of around 10,000 of its officers and staff fall into the hands of dissident republicans.
Details — including surname, initial, rank and role — were inadvertently published online in response to a Freedom of Information request last August.
Today, the Information Commissioner’s Office has announced the organisation will face the fine after it provisionally found the PSNI’S internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
The fine could have reached £5.6m if it was not subject to the organisation’s public sector approach, where it tries to avoid punishing the public by issuing fines that may impact on public services.
Responding to the fine, the PSNI said it was “regrettable given the current financial constraints” the service is facing.
THE PSNI is facing a £750,000 fine after the Information Commissioner’s Office (ICO) identified a “tangible threat to life” following a huge data breach last year.
Details of approximately 10,000 PSNI officers and staff were inadvertently published online in response to a Freedom of Information (FOI) request last August.
Those details — including the surname, initial, rank and role of all serving police officers and staff — were included in a “hidden” tab of a spreadsheet published in response to the request.
The information remained online for two-and-a-half hours before it was removed, with the PSNI later confirming it had fallen into the hands of dissident republicans.
Now the ICO has announced the organisation will face a fine of £750,000 in relation to the breach after the Commissioner provisionally found the PSNI’S internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
The fine has been subject to the organisation’s public sector approach, where they try to avoid punishing the public by issuing fines that may impact on public services. Had this filter not been applied, the ICO said the PSNI would have been facing a fine of £5.6m. However, in their response to the fine, the PSNI said it was “regrettable given the current financial constraints” the service is facing.
Commissioner John Edwards said some of the stories the organisation heard about the impact of the breach had been “harrowing”.
He said: “This breach has had a profound impact on people’s lives and has put lives at risk.
“That has been self-reported, both from individuals and the unions. I don’t think it is disputed by the PSNI; they have had to step in and assist people to relocate. Those security risks are real, they are being taken seriously and steps are being taken to mitigate those.
“Some people choose to conceal their employment, even to close family members, and the fact that has been exposed is an irreparable thing. The fact some people have also had to relocate shows you the depth and the seriousness of the breach.”
Mr Edwards said simple policies and procedures could have helped prevent the breach.
“Sadly, this was very simple to avoid. This potential is common, it’s known, it has occurred many times. It is a vulnerability of Excel spreadsheets that is known in security and privacy circles,” he said.
“Simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.
“Though it is a significant and serious breach which has put people in harm’s way, there has been no sense in which PSNI has sought to avoid responsibility and accountability.
“I have today received personal assurances from the Chief Constable that our outstanding recommendations will be implemented.”
The PSNI has also been hit with a preliminary enforcement notice, requiring the organisation to improve the security of personal information when responding to FOI requests.
In response to the ICO, Deputy Chief Constable Chris Todd said: “We accept the findings in the ICO’S Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice. We will now study both documents and are taking steps to implement the changes recommended. We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice. An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have made a number of arrests as part of this investigation.
“Following the data loss, an independent review was jointly commissioned by the Northern Ireland Policing Board and the Police Service of Northern Ireland into the circumstances surrounding loss. The review published its findings in December and made 37 recommendations that we are now progressing. Fourteen of these have already been implemented.”
Controversy over the data breach ultimately led to the resignation of then-chief Constable Simon Byrne, and led the PSNI and the Policing Board to commission a review.
The independent report into the breach found it was fundamentally the consequence of the service not seizing opportunities to secure and protect its internal information.
The review headed by Pete O’doherty, temporary commissioner from the City of London Police, said a “siloed approach” to information management functions was also a strong contributory factor.
The report, which made 37 recommendations, said structures within the force for dealing with data were “outdated”.
Earlier this month PSNI Chief Constable Jon Boutcher revealed the force were facing around 7,000 legal claims in relation to the data breach, with the organisation estimating it could cost them around £240m in security and compensation payouts.
It comes at a time when the force is under considerable financial pressure.
Mr Boutcher also told the Policing Board that no disciplinary action was being taken against anyone involved in the data breach, insisting he would not preside over a “blame culture” within the PSNI.
The Chief Constable said it had been a “systems issue”.
“I think the data breach — people will argue this to a higher or lesser degree, different organisations would say they are probably more robust to the potential of data breaches — but I think it could have happened to anybody, any organisation,” he said. “I will not preside over an organisation where there’s a blame culture.”