The PSNI is facing a £750,000 (€882,000) fine for failing to protect the personal information of its entire workforce following a massive data breach last August.
It is to be imposed by the UK’s Information Commissioner’s Office (ICO), which said the figure would have been much higher, £5.6m (€6.6m), if a private sector body had been involved.
The data breach resulted in dissident republicans getting access to the surname, initials, rank and role of all 9,483 serving PSNI officers and civilian staff.
The details were mistakenly released following a Freedom of Information request.
A week after the data breach, the PSNI Chief Constable at the time Simon Byrne said the information was in the hands of dissident republicans.
In a statement the Information Commissioner’s Office said the data breach had “brought tangible fear of threat to life”.
It said an investigation had provisionally found that the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be,” said UK Information Commissioner John Edwards.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.”
Mr Edwards said he will carefully consider any representations from the PSNI before making a final decision on the fine amount.
He said he was publicising details of the potential action to highlight the need for all organisations to check, challenge and where necessary change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.
In a statement, PSNI Deputy Chief Constable Chris Todd said it accepts the ICO findings.
“Today’s announcement by the ICO that they intend to fine us £750,000 following the data loss of 8 August 2023 is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change,” Mr Todd added.
“We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.”
Mr Todd said the report had highlighted once again the lasting impact the data loss had on PSNI officers and staff and that the police service had “worked tirelessly” to reduce the value of the compromised data by introducing a number of measures.
Thousands of police officers and civilian staff are also engaged in legal action seeking damages from the PSNI as a result of the data breach.
A Group Litigation Order was granted in the High Court in Belfast in March, paving the way for the claims to be heard.
The PSNI has said its potentially facing a bill of more than £240m (€282m) in security and compensation payouts.
