PSNI could be fined £750k over data breach
The Police Service of Northern Ireland (PSNI) could be fined £750,000 for a major data breach last year.
Following the breach last summer, the PSNI confirmed that the information was in the hands of dissident republicans, among others.
The Information Commissioner’s Office has announced that the proposed fine could be imposed on the PSNI “for failing to protect the personal information of its entire workforce”.
The PSNI has said it cannot afford such a fine.
The breach happened when the police responded to a Freedom of Information (FOI) request and information was published online about the PSNI’s 9,483 policing and civilian employees.
‘Tangible fear of threat to life’
The personal information included the surname, initials, rank, and role of all serving PSNI officers and staff.
In provisional findings announced Thursday, UK Information Commissioner John Edwards said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.”
He added: “Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.”
The proposed fine is provisional to allow the PSNI to make representations before a final decision.
Mr Edwards also revealed that the potential fine could have been £5.6m but he used discretion to significantly reduce the amount to ensure public money is not diverted from where it is most needed.
The PSNI has also been issued with a preliminary enforcement notice, requiring the Service to improve the security of personal information when responding to FOI requests.
In his provisional findings, Mr Edwards indicated that the breach could have been avoided.
“What’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place,” he said.
He also said there were lessons for other organisations.
“I am publicising this potential action today to, once again, highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”
A previous independent review last December, declared that the breach was “not the result of a single isolated decision or act by one person, team or department”.
That review, which was commissioned by the PSNI and the Policing Board, was conducted by Pete O’Doherty, temporary commissioner of the City of London Police.
He stated at the time: “It was the consequence of many factors, and fundamentally a result of [the] PSNI not seizing opportunities to better and more proactively secure and protect its data”.
Searches and arrests
The PSNI said that it will make representations to the commissioner explaining that the force cannot afford a £750,000 fine.
It has 28 days to respond.
Deputy Chief Constable Chris Todd has also said an investigation is continuing to identify those who are in possession of the information and criminally linked to the data loss.
He said detectives have conducted numerous searches and have made a number of arrests as part of the investigation.
One person is currently being prosecuted.
Mr Todd told BBC News NI that as a result of this single case the PSNI has put in place “specific measures in relation to a number of individuals in the service”.
The Chief Constable, Jon Boutcher, has previously announced that every PSNI officer and staff member would be offered a one-off payment of £500 to help with home security measures following the data breach.
The incident contributed to the resignation of the chief constable at the time, Simon Byrne.
Related Topics
- Data breaches
- Northern Ireland
- Police Service of Northern Ireland
-
PSNI data breach ‘wake-up call’ for UK forces
-
11 December 2023
-
-
Data breach identifies all PSNI officers and staff
-
8 August 2023
-
-
Independent review launched into PSNI data breach
-
22 August 2023
-
Published at Wed, 22 May 2024 23:02:14 +0000