The scale and severity of the PSNI data breach continues to make the headlines but inadvertent disclosures of this nature are commonplace. While new technology has its place in helping to secure data, it is crucial that organisations continue to use more traditional data security procedures backed up by frequent training.

On 8 August 2023, in response to a Freedom of Information Act (FOIA) request, the Police Service of Northern Ireland (PSNI) mistakenly released a spreadsheet which exposed the names and rank of every staff member in Northern Ireland. The data included forty members of MI5, for whom steps are being taken to ensure their protection. The impact of this data breach has been devastating for those employees affected and damaging for the reputation of the PSNI. This data breach was deemed a “critical incident” by the PSNI given its seriousness and work is ongoing to mitigate the risk caused by the breach. Unfortunately, shortly after this breach, details of two further incidents involving PSNI laptops and note books including the theft in Newtownabbey of a spreadsheet naming 200 serving officers came to light.

Northern Ireland’s terrorist threat level is currently rated as ‘severe’ by MI5. There have been a number of recent incidents targeting police officers. These include a bombing attack against a police car, a shooting attack on Deputy Chief Inspector John Caldwell, threats made against police officer’s families and officers attacked with deadly force while off-duty. Given the current situation, many officers keep details of their work, and the very fact that they work for the PSNI, secret as knowledge of this could put their personal safety and life at risk.

Considering the environment, it is easy to see why the nature of the information leaked could cause significant harm to affected individuals if it were to fall into the wrong hands. Over five hundred officers have already applied for an internal risk assessment, and some officers may have to give up their jobs or move house to ensure their personal safety. If, as reported, dissident republicans likely possess the identifying list, this is particularly concerning. Swift action is being taken however, with one arrest already having been made for possession of the document.

What are the consequences?

While the human impact of this breach is uppermost in people’s minds, some are questioning the approach the ICO will take, especially in light of the changes of strategic approach to regulatory action announced last year. In relation to the public sector, this new approach prefers reprimands, notices and compliance orders, rather than monetary penalties in all but the most serious of cases. The rationale being that the penalty, in the form of a fine, would come directly from the money available to that organisation to deliver services to the public. 

The ICO has stated that regulators should “play a role in behaviour change” across the economy, so any enforcement action will likely reflect this ethos. It is expected that the ICO will require the PSNI to implement more robust data security and information handling practices to avoid an incident like this occurring again, while also providing personal data training to all staff. A fine is still possible – we need only cast our minds back to the New Year’s Honours list data breach, where the ICO fined the Cabinet Office £500,000 when personal details from the list were leaked. Personal safety concerns were also raised by a small number of individuals in that case.

It is likely that some affected data subjects will issue claims for damages against the PSNI for distress and anxiety caused by this incident either individually or as part of a class-action suit (the latter is less likely as the harm suffered by affected individuals will vary considerably). It has been reported that a local law firm is working with the Police Federation to process compensation claims, while another local firm reports that “the emails just keep coming in” for potential claims. One estimation of total compensation the PSNI may have to pay out is up to £100 million. Time will tell but damages awards could be significant for certain individuals affected by this incident, given the context of recent claims by dissident republicans that they have this information and the current terrorist threat level in NI. Affected individuals may also seek to pursue possible employment related claims.

What lessons can be learned?

While it is still relatively early to be talking in terms of lessons learned, this breach demonstrates the importance of implementing appropriate technical and organisational measures to protect personal data – and putting your people front and centre. They are at the coal face and are most likely to be the weakest link when it comes to security.

Despite the public and political outcry following this incident, this type of inadvertent disclosure is commonplace. The ICO has highlighted the need to ensure that all personal information is removed before responding to a FOIA request. However, many organisations lack the necessary practical checks and balances to prevent an incident like this occurring.

While the Chief Constable has identified the source of the breach as “human error” and confirmed that steps have been taken to prevent such an incident re-occurring, good data hygiene and information handling practices could and should have prevented this catastrophic incident. It is also crucial that organisations ensure that regular data handling training occurs to minimise the risks of a data breach, whether internally or externally.

The ripple effects of this unfortunate incident are unparalleled and will impact the PSNI for years to come, with the Chief Constable describing it as having “a devastating financial, reputational, and human cost”. The Policing Board has launched an independent review to examine the factors and causes of the breach, as well as any action required to prevent further breaches. 

Whatever the outcome, one thing is clear - there are salutary lessons to be learned by all from this incident. The “insider threat” of internal data breaches remains one of the biggest data security risks to all organisations – big or small, public or private sector.