The Information Commissioner’s Office has stated that it is publicising this potential action to highlight the need once again for all organisations to review, challenge, and, where necessary, change their disclosure procedures.

The Information Commissioner's Office (ICO) announced on 23 May 2024, that it intends to issue a £750,000 fine against the Police Service of Northern Ireland (PSNI) for failing to protect the personal information of its staff in last year’s industrial scale data breach. 

The breach, which occurred on 8 August 2023, arose when a spreadsheet containing personal details of all 9,483 PSNI officers and staff was mistakenly published online in response to a freedom of information (FOI) request (after six staff members failed to detect a ‘hidden tab’ containing the data). The exposed information included surnames, initials, ranks, and roles of every staff member in the force which although not special category data under UK data protection laws, is extremely sensitive in nature, given the delicate political situation in Northern Ireland. The leak led to serious concerns about the safety and security for those affected. 

The impact of this avoidable error had harrowing consequences, with some individuals having to leave their family homes, cut themselves off from relatives and completely alter their daily routines due to the fear of a substantial threat to their lives.

2023 was an “annus horribilis” for the PSNI from a data protection perspective, with a number of data incidents making the headlines. It was also reprimanded by the ICO on 26 October 2023 for unlawfully sharing personal data with the US Department of Homeland Security.

The UK Information Commissioner, John Edwards, stated that the investigation into this industrial scale breach has provisionally determined that the PSNI's internal procedures and sign-off protocols for safely disclosing information were inadequate and, rather troublingly, that simple and practical-to-implement policies and procedures could have prevented this potentially life-threatening incident. He also highlighted that this clerical error had caused untold anxiety and distress to those directly affected, as well as to their families, friends and loved ones. 

In response to the report from the PSNI and other similar high-profile breaches, the ICO has issued an advisory notice to public authorities, providing recommendations for the prevention of inappropriate data disclosures in FOI responses.

Recognising that public funds are best utilised for essential services, the ICO exercised its discretion in applying a public sector approach to the calculation of the provisional fine amount, ensuring that public money would not be diverted from critical needs. The ICO highlighted that had the public sector approach not been adopted; the provisional fine amount would have been set at £5.6 million. In the time being, the PSNI has been issued with a preliminary enforcement notice, requiring it to enhance the security of personal information when responding to FOI requests.

It is important to note that the reported findings from the ICO are provisional and the final decision regarding the fine amount and enforcement action to be implemented will be made after consideration of any representations made by the PSNI.

An independent peer review of the incident undertaken last year, also exposed critical lapses in the PSNI’s handling of sensitive information and data, which led to this breach. The report highlighted deficiencies in the PSNI’s attitude towards prioritising data, information and cybersecurity, with it being noted that the Data Protection Act 2018 had not yet been fully embedded within the force. More specifically, the PSNI were failing to meet their obligations in relation to Data Protection Impact Assessments (DPIAs). The report also pointed to outdated structures, siloed operations and inadequate co-ordination and resource allocation within the PSNI, which resulted in ineffective policies, processes and training. Furthermore, it was revealed that individuals had minimal understanding of the risks of internal data sharing and the Data Protection Officer (DPO) role in the PSNI “had no direct reporting mechanism to the most senior level of the organisation which is a legal requirement” which had resulted in a “skewed focus”. 

No doubt, lawyers for the several hundreds of claimants who have since issued High Court legal proceedings against the PSNI seeking compensation for damages suffered as a consequence of this incident will be seeking to make use of the ICO’s and the independent peer review’s findings. So whilst, the PSNI might face a lower ICO fine than expected for this incident, it may still face a much bigger bill if claimants succeed with their compensation claims, which comes at a time when its budget is already under immense strain.