UK data watchdog wants six figures from N Ireland cops after 2023 data leak

May 23, 2024 TH Author

Following a data leak that brought “tangible fear of threat to life”, the UK’s data protection watchdog says it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 ($955,798).

The August exposure of cops’ data affected 9,483 officers and was described by Commissioner Pete O’Doherty of the City of London Police as “the most significant data breach that has ever occurred in the history of UK policing” in an official review.

Surnames, initials, ranks, roles, and places of work were included in a spreadsheet accidentally made public in response to a Freedom of Information Act 2000 (FOI) request. Every serving PSNI officer, including civilian staff members, was included in the leak.

The UK’s Information Commissioner’s Office (ICO) fine today follows consideration from the information commissioner John Edwards, who will take into account any PSNI responses before issuing a final decision.

Edwards said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.

“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.

“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends, and loved ones, did not happen in the first place.”

Edwards’ decision on the fine’s sum takes into account the fact that PSNI is a public sector organization and its funds are best spent on delivering quality services.

He believes large fines alone aren’t an effective punishment as they are in the public sector, and therefore the ICO errs on the side of smaller fines in return for greater engagement with the data watchdog itself and greater investment into data protection.

If the same breach, under the same conditions, was to take place in the private sector, the ICO said the fine would have been set at £5.6 million ($7.1 million). So, a hefty discount was applied.

In addition to its intent to fine the PSNI £750,000 ($955,798), the ICO also issued the force with a preliminary enforcement notice requiring it to improve the security of its FOI responses.

“I am publicizing this potential action today to once again highlight the need for all organizations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them,” said Edwards.

The PSNI’s deputy chief constable Chris Todd said the news of the fine is “regrettable” given the force’s financial struggles, and it will be speaking with the ICO to try to reduce the sum.

Todd added: “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice. We will now study both documents and are taking steps to implement the changes recommended.”

The deputy chief constable pointed to PSNI offering £500 in compensation to each officer whose data was caught up in the breach, which was claimed by 90 percent of officers. The compensation was offered to reimburse officers for any personal costs they incurred to increase their personal safety in the wake of the incident.

“The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again,” said Todd. “Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics, and home visits.

“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation.

“Work is ongoing to update current policies and develop a new Service Instruction as recommended by the ICO. Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”

The aftermath

Public sector data exposure stemming from clumsy FoI responses and human error were rife across the UK in the middle of 2023. Police forces in Suffolk and Norfolk, as well as a Cambridgeshire NHS Trust – all in the East of England – later in December blamed poor FoI practice for their respective data blabs.

Cumbria Constabulary in the North West also ‘fessed up to a publishing its own officers’ data just a week after the PSNI, but its incident had occurred months earlier.

However, given Northern Ireland’s history of sectarian violence, the breach of PSNI officers’ information was considered to be more potentially harmful than other breaches.

An official review into the incident revealed the various struggles felt by PSNI officers in the wake of the breach. One officer reported that they relocated themselves shortly after, out of fear for their family’s safety – a revelation that came to light after the PSNI said at the time of the breach that none of its staff were being moved elsewhere.

In the following months, an undisclosed number of additional officers also relocated. The review’s finding was a significant one that illustrated the lengths to which officers were driven after fearing so strongly for their safety.

Many more who anonymously contributed to the review, in most cases younger officers, reported that they wanted to relocate but weren’t financially secure enough to afford the move.

The cop shop dealt with more than 50 sickness absences that specifically blamed the stress of the breach, and mental health issues were rife among the force. Its staff well-being services were at capacity and many officers said they withdrew from their social lives.

Some even sought the PSNI’s help to change their names, although the force said that was unnecessary.

In addition to the ICO’s proposed six-figure fine, the review found that the PSNI would probably be facing a much, much bigger outlay when factoring costs for home security and litigation.

It expected the overall cost of the incident to be in the region of £24-37 million ($30.5-47.1 million), which also included the expected ICO fine.

The review also made 37 recommendations to guide various improvements at the PSNI, which Todd said “are now progressing” and that 14 have already been implemented.

“The recommendations made now by the ICO reflect some of these already being progressed,” Todd added. ®