Northern Ireland’s police service faces a £750,000 fine from the data protection regulator after the police service mistakenly disclosed the names of all serving officers and staff in a spreadsheet published online.
The data breach by the Police Service of Northern Ireland, which has been described as the most significant in the history of UK policing, is understood to have led to police officers and staff’s personal data falling into the hands of dissident republic groups.
The Information Commissioner said that that the breach had led to police employees having to move house or to cut themselves off from family mangers because of “tangible concerns of loss of life”.
The proposed fine follows the PSNI’s accidental publication of the surnames, initials, rank and roles of all 9,483 service PNSI officer and staff in a “hidden” tab of spreadsheet published on line in response to a freedom of information request published online in August 2023.
The ICO has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
John Edwards, the UK Information Commissioner said that it was troubling that simple, practical-to-implement, polices could have prevented the potentially life-threatening incident.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life,” he said.
The publication of the names, rank and roles of PSNI’s serving officers had caused “untold anxiety and distress to those directly affected as well as their, families, friends and loved ones.”
Edwards said that he had used his discretion to reduce the size of the proposed fine to protect public sector finances, which would otherwise have been set at £5.6 million.
PSNI Deputy Chief Constable Chris Todd said that the fine was “regrettable” given the PSNIs significant financial deficit.
He said that the breach had had a lasting impact on the individuals affected.
“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation,” he said.
The PSNI had provided significant crime prevention advice to officers and staff and their families, through online tools, advice clinics and home visits.
It had also made payments of up to £500 to PSNI employees whose names were disclosed in the breach for equipment or items bought by individuals to support their own safety needs – an offer that was taken up by 90% of officers and staff.
An independent review commissioned by the Northern Ireland Policing Board and the PSNI, found, among other failings that the PSNI had a culture that branded data protection as too complex, niche and somebody else’s problems.
The report published in December 2023, made 37 recommendations of which 14 have now been implemented. They include establishing the Deputy Chief Constable as Senior Information Risk Owner and the creation of a Strategic Data Board and Data Delivery Group, and the PSNI is updating its polices.
“Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future,” said Todd.
The ICO has issued the PSNI with a preliminary enforcement notice requiring the service to improve the security of personal information when responding to FOI requests.