Data privacy digest series
In an age where data is both a valuable asset and a potential vulnerability, the importance of protecting personal information has never been greater. For organisations handling sensitive data, particularly in sectors such as law enforcement, even a single breach can have far-reaching consequences.
In an incident that demonstrates this all too well, the Information Commissioner's Office (ICO) imposed a £750,000 penalty on the Police Service of Northern Ireland (PSNI), as a result of a severe data breach which exposed sensitive information against the backdrop of an elevated security landscape in Northern Ireland.
Background
On 8 August 2023, during a response to a Freedom of Information (FOI) request received through a public facing website (WhatDoTheyKnow), an excel spreadsheet was shared by the PSNI which inadvertently included a tab that was meant to have been deleted. The tab contained the details of 9,483 police officers and staff. The sensitive data included surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. The data was disclosed to, and published on the same website.
The PSNI acted as soon as they became aware of the data breach, moving swiftly to remove the information from the website. However, the data had already been downloaded and shared widely, complicating containment efforts.
This was particularly disastrous, considering the everyday danger that PSNI officers face in their line of duty – the threat from dissident republican groups, such as the 'New IRA', who reject the peace process in Northern Ireland. Just six months previous to the data breach, two masked gunmen shot senior PSNI officer John Caldwell whilst he was off-duty coaching an U-15 football team at a sports facility in Co. Tyrone. He was known for investigating high-profile murders and had received death threats in the past. Other incidents in recent years include a car bomb found under the car of a PSNI officer in East Belfast in 2019, and an explosive device found behind another PSNI officer's car in Co. Derry in 2021.
Against this backdrop, it is clear just how critical the confidentiality of officers' identities is for their safety in Northern Ireland. Many officers take regular precautions to protect their identities within their communities. The potential danger those PSNI officers and staff were placed in was immediately clear, and it was confirmed just a few days after the breach that the data had made its way into the hands of dissident republicans.
Immediate Aftermath
The PSNI reported the data breach to the ICO straight away and made all officers and staff aware that they were the subject of a significant data breach. They set up an emergency group to assist officers with concerns. Officers reported fears over their safety and that of family members, changes required to home security measures and, in some cases, the need to relocate.
Other measures undertaken to mitigate the threat included changing officers' shoulder badge numbers, senior officers visiting and engaging with their teams to provide support and providing financial support for enhanced security measures in the most severe cases.
The PSNI and the Northern Ireland Policing Board commissioned an independent review into the breach. The final report of that review described the breach as “the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff, and communities".
ICO Findings and Subsequent Fine
The ICO launched an investigation to assess the breach and determine the PSNI's compliance with the relevant data protection legislation. During its investigation, the ICO found that the breach stemmed from weaknesses in the PSNI's data-handling process during FOI responses, including a lack of secure deletion of unused data. It was also discovered that internal FOI guidance did not contain any information relating to the format in which electronic files should be disclosed to an FOI requester.
The regulator found that between 25 May 2018 and 14 June 2024, the PSNI infringed Articles 5(1)(f), 32(1) and (2) UK GDPR because 'the Relevant Processing was not carried out in a manner that ensured appropriate security of the personal data of PSNI officers and staff, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 UK GDPR'.
Due to the severity of the breach and in consideration of the high-risk environment for the officers, the ICO made the decision to impose a penalty, highlighting the scale, sensitivity and potential harm of the breach. In the face of this, a penalty of £750,000 was decided. Whilst the starting point for a breach of this nature was £5.6 million, the ICO followed its revised approach to public sector enforcement and therefore reduced the fine. However, this should not be seen as an indication of lenience on behalf of the ICO or a reduction of severity.
Insight
This unfortunate and avoidable incident highlights the critical need for robust data governance frameworks, continuous staff training and enhanced data security measures. The breach occurred due to a combination of human error and procedural shortcomings, pointing to the importance of implementing safeguards and efficient oversight.
It is also a stark warning to organisations that the context in which a data breach occurs will have a significant impact on risk and the need for mitigation. Given the particular sensitivities surrounding the work of those within the PSNI and the security landscape within Northern Ireland, information which may not ordinarily be considered sensitive, such as names and job titles, put individuals at real risk.
For the PSNI and other similar organisations, this serves as a reminder for the need for proactive approaches to data protection and risk management, demonstrating how the slightest lapse in data handling, particularly in high-risk sectors, can have severe repercussions – impacting personal safety, eroding public trust, and attracting substantial regulatory penalties.
If you have concerns about your organisation's data-handling processes or want to know more about how we can help you ensure compliance, please get in touch with our data and privacy experts here at Trowers & Hamlins.
