Northern Ireland

PSNI fined £750,000 for data breach despite appeals to lower amount due to perilous finances

Details on the entire 9,000 workforce released by mistake following Freedom of Information request

Press Eye - Belfast - Northern Ireland - 22nd May 2024 Photo by Graham Baalham-Curry / Press Eye What: Embargoed media facility following the Information Commissioner’s Office’s (ICO) announcement into the August 2023 data breach Please note reporting on the content of this media facility is strictly embargoed until 00.01 on Thursday 23rd May. PSNI media facility, Police Headquarters, Knock Road, Belfast Deputy Chief Constable Chris Todd addresses media following the ICO announcement into the August 2023 data breach. Strictly embargoed until 00:01 Thursday 23 May Police Service of Northern Ireland response to Information Commissioner’s Office (ICO) announcement. Commenting on the announcement that the Information Commissioner’s Office intends to fine the Police Service of Northern Ireland £750,000, Deputy Chief Constable Chris Todd said: “We accept the findings in the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice. We will now study both documents and are taking steps to implement the changes recommended. “Today’s announcement by the ICO that they intend to fine us £750,000 following the data loss of 8 August 2023 is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change. We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice. “The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again. Since the data loss occurred in August, the Police Service has worked tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff. We provided
Deputy Chief Constable Chris Todd

The PSNI must pay £750,000 for the data leak that led to information on all officers and staff being released last August, the Information Commissioner’s Office has ruled.

Names, job role, rank, grade, department, location of post, gender and PSNI service and staff number of 9,483 individuals were released by mistake following a Freedom of Information request last August.

Information Commissioner John Edwards signalled earlier this year he would issue a fine of £750,000 but waited for the force and rank and file representatives to respond before making his final decision.

John Edwards, the Government’s preferred candidate for Information Commissioner, faced questions from MPs on Thursday.
John Edwards

PSNI Deputy Chief Constable Chris Todd said the fine is “regrettable, especially given the financial constraints we are currently facing”.

“This fine will further compound the pressures the Service is facing,” DCC Todd said, adding the majority of the cost was included in last year’s budget but a further £140,000 will have to found this year.

Mr Edwards said his office took into account the PSNI’s current perilous finances but added that the “nature of the breach and the impact on the people really demand a deterrent and a strong signal...particularly in a situation of security vulnerability”.

The data leak at the Police Ombudsman for Northern Ireland involved the details of 160 current and former employees
The PSNI worked on the assumption information found its way into the hands of republican dissidents (Alamy Stock Photo)

The commissioner said the office was mindful of the organisation’s finances and that the fine would have been £5.6 million if he had not used his discretionary powers to lower the amount so that money was not diverted away from important “public sector” work.

At 2.31pm on August 8 last year the file was uploaded to the What Do They Know site. Senior police were alerted at approximately 4.10pm but it was another 40 minutes before it was hidden from view, then deleted just before 5.30pm.

Following the data leak, the PSNI announced they were working on the assumption that the file was in the hands of dissident republicans.

Mr Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe. It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff.”

DCC Todd welcomed the decision by the commissioner not to issue an enforcement notice, which he said “is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests”.

Liam Kelly, chairman of the Police Federation for Northern Ireland
Liam Kelly, chair of the Police Federation for Northern Ireland (Peter Morrison/PA)

Police Federation chair Liam Kelly said the breach “caused widespread understandable distress and concern and forced a major re-think of personal security” but that a “fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation”.

“We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local Councils,” Mr Kelly added.

Approximately 7,000 individuals are involved in legal actions over clams of negligence and breaches of data protection and privacy. A mediation process has started to assess the level of damages.

Nicolas Hanna KC, counsel for the PSNI, told the High Court last week: “Liability is no longer an issue, it’s (now) a matter of causation and damages.”