The UK Information Commissioner’s Office (ICO) has announced its plan to potentially levy a penalty worth £750,000 on the Police Service of Northern Ireland (PSNI). The proposed fine is related to the PSNI’s failure to secure the personal data of its employees, which resulted in an unprecedented data leakage in August last year.
The breach, which led to the exit of the then Chief Constable of PSNI, Simon Byrne, exposed the sensitive details of over 9,000 active officers and staff members. Details like the surname, initials, rank, and role of each PSNI officer, and civilian staff, were unintentionally made public due to an incorrect response to a Freedom of Information request. This data leak sparked a significant public concern, especially about those involved in covert or intelligence operations.
Rebellious republicans supposedly now have access to the leaked information. ICO investigators have described the incident as an “avoidable error”, leading to significant alterations in the lives of many. Some victims were forced to change their homes, disconnecting themselves from their families owing to the fear of life-threatening risks.
ICO’s interim findings pointed towards inadequate internal procedures and authorisation protocols for secure information disclosure by the PSNI. The ICO stated guidelines and strategies that are simple and practical to adopt were not implemented, leading to the risky incident causing distress and anxiety to those directly impacted.
Denouncing poor data security, UK Information Commissioner, John Edwards, highlighted the necessity for organisations to constantly review, test and modify, where needed, their information disclosure procedures. As per Edwards, robust data protection measures are vital to safeguard the personal data trusted by people to organisations.
The findings and the fine, though not finalised, were disclosed by the Commissioner as an application of the public sector approach towards the proposed £750,000 penalty. These measures are intended to impart the importance of data security to all organisations.
The strategy’s objective is to prevent governmental funds from being unnecessarily wasted, while still retaining the ability to impose penalties in the most severe circumstances, it was stated. If this methodology had not been adopted, the penalty would have been fixed at £5.6 million.
An external assessment was organised by the PSNI and Northern Ireland Policing Board following an incident last year. The interim commissioner of the City of London Police, Pete O’Doherty, conducted the investigation. The report proposed 37 modifications to enhance the PSNI’s data security systems, stating that this breach should serve as an alert to other police departments across the UK.
PSNI’s Deputy Chief Constable, Chris Todd, described the ICO penalty as regrettable considering the force’s budgetary limitations, struggles, and existing shortfall. The high-ranking officer confirmed that the PSNI accepted the Commissioner’s observations and will proceed to initiate the advocated amendments.
He mentioned, “We will present our views to the ICO concerning the penalty’s magnitude before they determine the final sum and stipulations in their execution order.” He added that the reports once again highlight the persistent effects of this data loss on their officers and staffers. He acknowledged that this public revelation might revive those impacts.
“Following the data loss incident, we’ve diligently worked towards devaluing the compromised data by implementing various measures for our personnel. We have supplied key crime prevention guidance to our officers, staff and their families through digital platforms, counselling centres, and house visits.”
The Police Federation for Northern Ireland (PFNI), representing the police ranks, claimed the ICO identified serious deficiencies in safeguarding personal data. The federation’s chair, Liam Kelly, stated that it was evident from this critical report that the full extent of the problems faced by officers and staff due to the leaking of personal data were neither understated nor overlooked.
He asserted, “Such a glaring mistake must never be repeated, which emphasises that the organisation must guarantee foolproof data security mechanisms in the future. This should be supplemented by the implementation of the most stringent processes and plans ever.”