ICO issue £750,000 to Police Service Northern Ireland

In August 2023, PSNI received two Freedom of Information requests asking for information relating to the total number of officers at each rank. As it transpired, the information was first downloaded as an Excel file from PSNI’s human resources system. This spreadsheet contained personal data of all 9,483 PSNI officers and staff including, amongst other things, their first name, surname, job role, rank, gender and location of posting.

When considering the request, multiple worksheets were created within the Excel file. Some of these worksheets were deleted before the file was disclosed, however the original worksheet containing the personal details remained unnoticed and was inadvertently included in the final file disclosed. The Excel sheet was subsequently uploaded to the requestors website on 8 August 2023 and remained accessible to the public for over two hours.

The data breach was of particular importance as the PSNI later announced that they were working on the assumption that the data was in the hands of dissident republications and that it could have compromised the safety of PSNI officers and staff.

The ICO investigation found that simple to implement procedures could have prevented the breach. John Edwards, UK Information Commissioner, commented that he could not “think of a clearer example to prove how critical it is to keep personal information safe” and further noted that “it is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff”.

The ICO’s investigation sought feedback from some of the individuals impacted by the breach. Some individuals suggested that as a result of the leak they were very concerned for the safely of themselves and their family. One individual even stated that they had accepted another job outside of the police as a result of the anxiety and stress they had suffered following the breach.

Upon issuing the fine of £750,000, the ICO stated that it had taken into consideration the financial position of the PSNI and used its discretion to apply the public sector approach in this case. The public sector approach being to significantly reduce fines against public organisations on the basis that a fine will simply divert money public money away from public services. The ICO concluded that had this approach not been applied, the fine would have been £5.6 million.

This case acts as a stark reminder to organisations of the need to carefully review and quality check documents before disclosing data following a request for information. Whilst this case related to a Freedom of Information request it could easily have been a Data Subject Access Request (DSAR), a request for access to health records or another type of request for information.

The case also highlights that the ICO is prepared to issue hefty fines where a breach causes significant harm and distress to data subjects.

In order to process personal data in compliance with the UK General Data Protection Regulations and to avoid breaches, organisations should ensure that it:

• Has put in place adequate and effective training for staff;
• Takes care when collating and redacting data; and
• Established robust quality assurance safeguards before data is disclosed.