ICO Warns PSNI It Faces £750k Fine Over Data Breach

Tom Jowitt,
Linkedin
Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Police Service of Northern Ireland (PSNI) says it cannot afford a £750,000 fine from the ICO, over its self-inflicted data breach

The financial implications for the Police Service of Northern Ireland (PSNI) for its self-inflicted and highly damaging data breach in 2023, have become starkly clear this week.

The Information Commissioner’s Office (ICO) on Thursday announced that the PSNI is facing a possible £750,000 fine for the “data breach brought tangible fear of threat to life.”

But the PSNI in a statement has warned that due to current financial constraints, it cannot afford the fine, and will seek to engage with the ICO before the data protection regulator makes its final ruling.

Data breach

The issue began in August 2023 when every police officer in Northern Ireland had their names and departmental locations exposed in a self-inflicted data breach.

The monumental data breach of 10,000 PSNI personal occurred when the surnames and initials of current police officers, and civilian staff members, as well as the location and department they work in, were included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request (FoI).

Chief Constable Simon Byrne at the time said he was “deeply sorry” for the “industrial scale breach of data that had gone into the public domain”, describing it as an “unprecedented crisis.”

Matters were made worse when it emerged that the PSNI had become aware that dissident republicans claimed to be in possession of some of this information.

A number of arrests were made under the Terrorism Act, and shortly after the breach the chief constable Simon Byrne resigned after losing a no confidence vote.

The PSNI data breach was significant due to the risk to life it potential brings for police officers serving in Northern Ireland.

ICO warning

Eight months after the data breach, and the Information Commissioner’s Office has made a provisional finding about the scale of the fine for the PSNI.

“We have announced we intend to fine the Police Service of Northern Ireland (PSNI) £750,000 for failing to protect the personal information of its entire workforce,” said the ICO.

“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be,” said John Edwards, UK Information Commissioner.

“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life,” said Edwards.

“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place,” said Edwards.

The ICO said that recognising that public money is best used to support the delivery of essential services, the Commissioner used his discretion to apply the public sector approach when calculating the PSNI provisional fine amount.

Had the public sector approach not been applied, this provisional fine would have been set at a whopping £5.6 million.

PSNI response

But the PSNI in its response said it cannot afford even the lesser fine of £750,000.

“We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice,” said Deputy Chief Constable Chris Todd. “We will now study both documents and are taking steps to implement the changes recommended.”

“Today’s announcement by the ICO that they intend to fine us £750,000 following the data loss of 8 August 2023 is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change,” said Todd.

“We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice,” said Todd.

“The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again,” said Todd.

Todd said that the PSNI had paid up to £500 was made available to each individual impacted, in reimbursement for equipment or items purchased by those individuals against their own particular safety needs. He said 90 percent of staff had accepted this payment.

“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues,” Todd added. “Detectives have conducted numerous searches and have made a number of arrests as part of this investigation.”

Life threatening

The Police Service of Northern Ireland was formerly known as the Royal Ulster Constabulary (RUC) until 2001.

During the Troubles, the RUC suffered 319 police officers killed and almost 9,000 injured in paramilitary assassinations or attacks by Republican terrorists.

So far two PSNI police officers have been killed by terrorist attacks.

The risks of being a PSNI police officer were demonstrated in February 2023, when dissident republicans linked to the New IRA, approached a police officer as he finished coaching a children’s football team, shot him several times, and left him for dead.

Fortunately that police officer survived, but he suffered life changing injuries.