PSNI fined £750,000 over severe data breach that saw staff personal details published online

THE POLICE SERVICE of Northern Ireland has said it is “regrettable” that it has been landed with a hefty fine by the Information Commissioner’s Office after a data loss that saw personal details of police officers published online.

According to the PSNI’s statement, the ICO intends to fine the force over a serious data breach that occurred on 8 August last year.

The data breach, which affected some 10,000 officers and staff, occurred when the service responded to a Freedom of Information request seeking the number of officers and staff of all ranks and grades across the organisation.

In the published response to this request, a table was embedded which contained the rank and grade data, but also included detailed information that attached the surname, initial, location and departments for all PSNI employees.

The data was potentially viewable by the public for between 2.5 to three hours. The PSNI called it a “critical incident”.

In a statement today, PSNI Deputy Chief Constable Chris Todd said the force accepts “the ICO’s Notice of Intent to Impose a Penalty and we acknowledge the learning highlighted in their Preliminary Enforcement Notice”.

“We will now study both documents and are taking steps to implement the changes recommended.”

He said the announcement of the fine was “regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change”.

We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.

MPs in the UK were told back in September last year that data breach could potentially cost the force £240 million (€281 million) in security and legal costs.

“The reports highlight once again the lasting impact this data loss has had on our officers and staff and I know this announcement today will bring those to the fore again,” Todd said.

He said officers have worked to “devalue the compromised dataset by introducing a number of measures for officers and staff”.

“We provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits,” he said.

He said a payment of up to £500 was also made available to each PSNI officer and staff affected, for them to purchase equipment or items for their safety needs, and that “90% of officers and staff took up this offer of financial support”.

“An investigation to identify those who are in possession of the information and criminality linked to the data loss continues. Detectives have conducted numerous searches and have made a number of arrests as part of this investigation,” Todd said.

He said the force was now working to implement the recommendations of a review into the loss.

“Work is ongoing to update current policies and develop a new Service Instruction as recommended by the ICO,” he said.

“Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”