THE Police Service of Northern Ireland (PSNI) has been fined £750k for a data breach which exposed the personal details of its entire workforce.
On August 8, 2023, following a freedom of information request, the force accidentally published a document containing the personal details of all 9,483 officers and members of staff online.
The surnames, initials, rank and roles of the personnel were contained in the document, which remained online for several hours and later fell into the hands of dissident republicans.
In a statement the Information Commissioner’s Office (ICO), said it was the worst data breach they had ever seen, which “should never have happened”.
“I cannot think of a clearer example to prove how critical it is to keep personal information safe,” John Edwards, UK Information Commissioner said.
“It is impossible to imagine the fear and uncertainty this breach – which should never have happened - caused PSNI officers and staff.
“A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.”
Today it was confirmed that the PSNI would face a fine of £750k.
This figure would have been £5.6m but the ICO applied the “public sector approach” to the fine, in light of the “current financial position at PSNI and not wishing to divert public money from where it is needed”.
PSNI Chief Constable Jon Boutcher has responded to the news today“Whilst I am aware of the financial pressures facing PSNI, my role as Commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines,” Mr Edwards said.
“I am satisfied, with the application of the public sector approach, this has been achieved in this case.”
“Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.”
Responding to the fine,PSNI Chief Constable Jon Boutcher said the ICO decision was “regrettable”.
“Today’s confirmation that the ICO has imposed a £750k fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing,” he said.
“This fine will further compound the pressures the Service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.
“Following the ICO’s announcement in May that they intended to impose a fine and issue an Enforcement Notice we made representations regarding the level of the fine and the requirements in their enforcement notice.
“While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an Enforcement Notice.
“That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.”
He added: "As a service we are in a different place today than we were last August and we have continued to work tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff.
"We have provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.
“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”
