PSNI to face £750,000 fine as a result of data breach that could have been easily avoided

The PSNI are to be hit with a £750,000 as a result of a data breach last year that released the personal details of over 9,000 officers and staff.

The force had potentially faced a £5.6million fine with this being reduced by the Information Commissioner in order to ensure that public money is not diverted from where it is most needed.

In August 2023, the PSNI released a Freedom of Information request that included a spreadsheet that contained a hidden tab revealing the personal details of 9,483 police officers and staff, including surname, initials, rank and their roles.

Read more: No one facing disciplinary action over multimillion-pound PSNI data breach

Read more: PSNI data breach report finds 'outdated approach' to data security

The Information Commissioner’s Office has now provisionally found that the force’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate, following an investigation.

These findings are not final and the ICO has said it “will carefully consider any representations PSNI make before making a final decision on the fine amount and the requirements in the enforcement notice.”

Speaking to Belfast Live, Information Commissioner John Edwards said there were a number of simple steps the PSNI could have taken to avoid the data breach in the first place, saying that Excel spreadsheets “are well known to be perilous for containing hidden data.” He also said that converting the file or data to a CSV file or a PDF would have been a more secure way of releasing the data to the FOI requester.

The PSNI was found to have failed to put policies and procedures in place in order to ensure that the data was handled securely.

Mr Edwards said: “They should have had steps in their policies and procedures requiring someone to double check that there was no unintended release of personal data. Risks associated with spreadsheets should have been flagged and included in training material.”

He continued: “The risks, as I said, with Excel spreadsheets are well known, they ought to have been anticipated, they ought to have had steps in place. We have had guidance on this on our website, we are the FOI regulator as well as the data protection regulator. So we have guidance saying there are risks associated with responding to FOI requests with original source spreadsheets, here is how you can mitigate those risks.

“The PSNI did not have those steps in place.”

The Commissioner said that thousands of people within the PSNI had been impacted by the data breach, with this causing severe distress to many as it was a “potentially life-threatening incident” that forced people to move from their homes, disconnect from family and make major changes to their lives.

He explained his reasoning behind reducing the fine for the PSNI saying: “When we took the facts of the breach and the potential impact on individuals, the number of people and the kind of harm and when we ran that through our penalty setting guidance and the number that dropped at the bottom was £5.6million.

“I have asked the organisation to trial an approach with public authorities that recognises when you take a fine off of a devolved authority with limited funding you are actually very often taking money away from the services that are there to be provided to the individuals who are impacted by the breach, so in effect you are punishing that community twice.

“The message to the wider economy is that if you get this badly wrong and put people at risk, you could face a fine at this level. With the PSNI we applied our public sector stance and have said that even with our accommodating stance to public authorities you are going to have to pay but we are going to set it at a level that is much lower at £750,000.”

However the £750,000 could be reduced further with the PSNI having an opportunity to make representations to the ICO with these being considered before a final decision is made.

The PSNI has been issued with a preliminary enforcement notice, requiring the Service to improve the security of personal information when responding to FOI requests.

The Comissioner said that while the data breach was a “profound breach of trust” by the PSNI and that it will take time for it to rebuild it among officers and staff, he said that he received personal assurances from the Chief Constable that any recommendations made to the PSNI will be implemented.

Mr Edwards said: “ I would say that the will, from my observation, is definitely there and I was very pleased that the PSNI engaged with us in a constructive way. There was no defensiveness, they wanted to understand what had happened so they could take steps to ensure that it never happened again.

“I don’t fault them for their response to the incident but the nature of the incident itself demands the kind of regulator response that we are flagging today which is a significant fine.”

Reacting to the announcement, Deputy Chief Constable Chris Todd said the PSNI “accept the findings” of the Information Commissioners Office, but added that it is “regrettable, given the current financial constraints we are facing” to be facing a £750,000 fine.

He added: “Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.

“In December 2023 a payment of up to £500 was made available to each individual in the organisation whose name was contained on the dataset released in reimbursement for equipment or items purchased by those individuals against their own particular safety needs. 90% of officers and staff took up this offer of financial support.

“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation.”

In April it emerged that almost 5,000 police officers and staff are involved in legal action following the data breach.

The PSNI has previously indicated that the data breach could potentially cost the organisation £240 million in security and compensation payouts to officers.

Belfast law firm Edwards & Co said it is representing almost 5,000 police officers and staff. It said three test cases for a liability only hearing have been listed for June 26. The firm is one of the Management Solicitors appointed by the court in a recent group litigation order.

Edwards & Co partner Philip Gordon said in April: “This decision by the High Court is very encouraging progress for our clients, who number almost 5,000. At the review hearing this morning (Friday) the court listed three test cases for hearing on liability only for June 26 2024.

“The Management Solicitors have served a statement of claim in each of the cases and the defendant was directed to enter their defence within the usual six-week period.

“It represents very encouraging progress. Each claim will still have to be considered individually in terms of the appropriate damages, taking into account that each plaintiff will have been affected differently.

“It may therefore take some time after a liability hearing to deal with each individual case, but we are committed to getting every client the best possible result.”

For all the latest news, visit the Belfast Live homepage here and sign up to our daily newsletter here.