The Police Service of Northern Ireland (PSNI) has apologized for a data breach that exposed the personal details of 10,000 officers and staff. The breach occurred on Tuesday, August 8, when the PSNI accidentally published a spreadsheet containing the surnames, initials, rank or grade, work location, and departments of all PSNI staff. Private addresses were not released.

The data was released in response to a Freedom of Information (FOI) request and was available to the public for up to three hours before the error was spotted. The PSNI has said that it is investigating the incident and that it is taking steps to prevent it from happening again. A special meeting of the Northern Ireland Policing Board will take place on Thursday to discuss the data breach with the PSNI senior team.

How did it happen?

On 3 August, the Police Service of Northern Ireland (PSNI) received a Freedom of Information (FOI) Request from a member of the public which asked: "Could you provide the number of officers at each rank and number of staff at each grade?" What they received was a huge Excel spreadsheet representing "the source data".

Everything which was provided under the FoI, including the spreadsheet, was then published on an FOI website, What Do They Know, on Tuesday afternoon, making it publicly available. It was removed after two-and-a-half hours at the PSNI's request, once they became aware of it. The information included the surname and first initial of every employee, their rank or grade, where they are based and the unit they work in, including sensitive areas such as surveillance and intelligence. It also included people on career breaks.

The Concern

The data breach has raised concerns about the safety of PSNI officers and staff. The PSNI is a high-profile target for terrorism and organized crime, and the release of personal details could put officers and their families at risk. More than 300 police officers were murdered in Northern Ireland during the 30 years of violence known as the Troubles and officers and staff remain under threat from republican paramilitaries. One constable is reported to have said “Since joining the service I have moved house and spent a considerable amount of money making sure it is secure and to give me and my loved ones peace of mind. I have chosen to do this job and over time have become accustomed to the risks, but what this breach has done is highlight the fear and concern that my family have about me doing this job."

A former Northern Ireland justice minister, Naomi Long, has said that the data breach is "a serious security lapse" and that it has "jeopardized" the safety of PSNI officers. The Police Federation for Northern Ireland has called for an urgent inquiry into the incident.

The PSNI has said that it is "committed to protecting the personal data of its officers and staff" and that it is "taking this matter very seriously." The force has urged anyone who has concerns about their personal data to contact the PSNI.

This is the second major data breach in Northern Ireland in recent months. In February 2023, the Electoral Commission was hacked, exposing the personal details of over 40 million voters. The PSNI data breach is a further reminder of the need for organizations to take data security seriously.

Information Commissioner John Edwards said that the breach was "deeply concerning" and that it had "the potential to put the safety of PSNI officers and staff at risk." He added that the ICO is "investigating the matter as a matter of urgency" and that it will "take appropriate action" if it finds that the PSNI has not met its data protection obligations.

Northern Ireland Secretary of State Chris Heaton-Harris said that he was "deeply concerned" by the data breach and that he had spoken to the PSNI Chief Constable about it. He added that he has "full confidence" in the PSNI's ability to investigate the incident and to take steps to prevent it from happening again.

Police Federation for Northern Ireland (PFNI) General Secretary Mark Lindsay said that the data breach was "a serious security lapse" and that it had "the potential to put the safety of PSNI officers and staff at risk." He added that the PFNI is "demanding answers" from the PSNI about how the breach happened and what steps are being taken to prevent it from happening again.

The Data Commissioner

The data commissioner has the power to issue fines to organizations that fail to comply with data protection laws.

What penalties can the Information Commissioner issue?

The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing. Any penalty they issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis. Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 - the higher maximum and the standard maximum.

What is the higher maximum?

The higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.

What is the standard maximum?

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

It is still too early to say whether the PSNI will be fined for the data breach, but the ICO is likely to take a serious view of the matter.

Available Guidance

The PSNI data breach is a reminder of the importance of data security for all organizations. Organizations that hold personal data must take steps to protect that data from unauthorized access, disclosure, or destruction. The ICO has published a number of guidance documents on data security, which organizations should refer to, including:

A guide to data security - This guide provides an overview of the data security principles that organizations should follow. It covers topics such as risk assessment, security measures, and incident response.

Data security – a guide to the basics - This guide provides a more detailed overview of the data security principles, with specific examples and practical advice.

Security of personal data in public sector organizations - This guide is specifically aimed at public sector organizations, but it provides useful guidance for all organizations that hold personal data.

The ICO guidance documents emphasize the importance of taking a risk-based approach to data security. This means that organizations should assess the risks to their data and take steps to mitigate those risks. The guidance documents also recommend that organizations implement a range of security measures, such as:

• Keeping personal data secure - This includes using strong passwords, keeping software up to date, and encrypting data.
• Restricting access to personal data - Only authorized people should have access to personal data.
• Monitoring and auditing - Organizations should monitor their systems for security breaches and regularly audit their data security procedures.
• Responding to incidents - Organizations should have a plan in place to respond to data security incidents, such as data breaches.

The ICO guidance documents are a valuable resource for organizations that want to protect their data from unauthorized access, disclosure, or destruction. By following the guidance in these documents, organizations can help to keep their data secure and protect the privacy of individuals.

In addition to the ICO guidance documents, there are a number of other resources available to organizations that want to learn more about data security. These resources include:

The National Cyber Security Centre (NCSC) - The NCSC provides guidance and advice on cyber security for organizations of all sizes.

The Information Security Forum (ISF) - The ISF is a professional organization that provides guidance on information security.

The Information Systems Audit and Control Association (ISACA) - ISACA is a professional organization that provides guidance on information security governance and risk management.

By taking the time to learn about data security and implement appropriate security measures, organizations can help to protect their data and the privacy of individuals.

Evan Wright is a partner in JMW’s Business Crime and Regulation team.