PSNI facing €750,000 fine over data breach involving more than 9,000 serving officers and staff

The Police Service of Northern Ireland (PSNI) is facing a £750,000 fine for failing to protect the personal information of its workforce following an unprecedented data breach.

Announcing its intention to issue the proposed fine on Thursday, the UK Information Commissioner’s Office (ICO) said last August’s leak – involving more than 9,000 serving officers and staff – caused “tangible fear of threat to life”.

The controversy led in part to the resignation of the then PSNI Chief Constable Simon Byrne, who described the breach as “industrial scale” after the surname, initials, rank and role of every PSNI and civilian staff member accidentally appeared online in response to a Freedom of Information request.

In some instances, this detail was highly sensitive, particularly for individuals working in intelligence or covert operations.

Police later confirmed that the information was in the hands of dissident republicans.

ICO investigators said they had heard “harrowing stories” about the impact of the “avoidable error” on people’s lives, with some forced to move house or cut themselves off from family members.

They provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.

A total of 9,483 serving PSNI officers and staff were affected.

John Edwards, UK Information Commissioner, said that the sensitivities in Northern Ireland and unprecedented nature of the breach created a “perfect storm of risk and harm”.

Some individuals had “completely altered their daily routines because of the tangible fear of threat to life”, he said.

“It shows how damaging poor data security can be,” he said.

“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.

“I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”

The Commissioner stressed that the findings and fine are provisional, adding he had used his discretion to apply the so-called public sector approach when calculating the £750,000 fine.

“The aim of the approach is to ensure public money is not diverted away from where it is needed most, while maintaining the right to issue fines in the most serious of cases,” he said.

Had this approach not been applied, the fine would have been set at £5.6 million.

The PSNI and Northern Ireland Policing Board commissioned an independent review in the wake of the incident last year.

Carried out by Pete O’Doherty, temporary commissioner of the City of London Police, it made 37 recommendations for improving information security within the PSNI and said the breach should act as a “wake up call” for forces across the UK.

PSNI Deputy Chief Constable Chris Todd described the ICO fine as “regrettable” given the force’s financial constraints, challenges and current deficit.

The senior officer said the PSNI accepted the Commissioner’s findings and will now take steps to implement the changes recommended.

“We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice,” he said.

“The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again.

“Since the data loss occurred in August, the police service has worked tirelessly to devalue the compromised data set by introducing a number of measures for officers and staff. We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.”

The Police Federation for Northern Ireland (PFNI), which represents rank and file officers, said the ICO confirmed there were “dangerous failings” in the protection of personal information.

“It’s clear from this damning report that there was no holding back or minimising what officers and staff were confronted with as a result of personal information reaching the public domain,” Liam Kelly, federation chair, said.

“This kind of egregious error can never be allowed to happen again and that must mean the organisation ensures watertight data defences are in place and that they operate the most stringent possible processes and protocols in the future.”