The PSNI could be fined £750,000 for last year’s data breach that revealed the personal information of all 9,483 serving PSNI officers and staff .
The Information Commissioner’s Office (ICO) has announced it intends to fine the PSNI for ‘failing to protect the personal information of its entire workforce’.
The personal information – including surname, initials, rank and role of all serving officers and staff – was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request.
In provisional findings announced today (Thursday), the ICO investigation found that the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were ‘inadequate’.
John Edwards, UK Information Commissioner, said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.”
He added: “And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.”
The Commissioner also stated that the fine could have been £5.6 million had he not used his discretion to, “significantly reduce” the potential fine to ensure public money is not diverted from where it is most needed.
The PSNI has also been issued with a preliminary enforcement notice, requiring the service to improve the security of personal information when responding to FOI requests.
The Commissioner’s findings are provisional, and he will carefully consider any representations the PSNI make before making a final decision on the fine amount and the requirements in the enforcement notice.
The PSNI have since said they cannot afford a £750,000 fine.
Deputy Chief Constable Chris Todd described the fine as “regrettable, given the current financial constraints we are facing”.
However, he stated: “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice.
“We will now study both documents and are taking steps to implement the changes recommended.”
He added: “An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation.”
In December 2023, a payment of up to £500 was made available to each individual in the organisation whose name was contained on the data set released.
This was in reimbursement for equipment or items purchased by those individuals against their own particular safety needs.
90% of officers and staff took up this offer of financial support.