The PSNI is facing a £750,000 (€882,000) fine for failing to protect the personal information of its entire workforce following a massive data breach last August.
It is to be imposed by the UK’s Information Commissioner’s Office (ICO), which said the figure would have been much higher, £5.6m (€6.6m), if a private sector body had been involved.
The data breach resulted in dissident republicans getting access to the surname, initials, rank and role of all 9,483 serving PSNI officers and civilian staff.
The details were mistakenly released following a Freedom of Information request.
A week after the data breach, the PSNI Chief Constable at the time, Simon Byrne, said the information was in the hands of dissident republicans.
In a statement the Information Commissioner’s Office said the data breach had “brought tangible fear of threat to life”.
It said an investigation had provisionally found that the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.
“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be,” said UK Information Commissioner John Edwards.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.”
Mr Edwards said he will carefully consider any representations from the PSNI before making a final decision on the fine amount.
He said he was publicising details of the potential action to highlight the need for all organisations to check, challenge and where necessary change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.
In a statement, PSNI Deputy Chief Constable Chris Todd said it accepts the ICO findings.
“Today’s announcement by the ICO that they intend to fine us £750,000 following the data loss of 8 August 2023 is regrettable, given the current financial constraints we are facing and the challenges we have, given our significant financial deficit to find the funding required to invest in elements of the requisite change,” Mr Todd added.
“We will make representations to the ICO regarding the level of the fine before they make their final decision on the amount and the requirements in their enforcement notice.”
Mr Todd said the report had highlighted once again the lasting impact the data loss had on PSNI officers and staff and that the police service had “worked tirelessly” to reduce the value of the compromised data by introducing a number of measures.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
A number of people were forced to take additional security measures following the fallout of the “inexcusable” data breach, Chair of the Police Federation for Northern Ireland Liam Kelly said.
Speaking on RTÉ’s Morning Ireland, Mr Kelly explained the breach happened at a time when the threat level was severe, shortly after the attempted murder of Detective Chief Inspector John Caldwell.
“Police officers were on high alert at this time as it was.
“So for them to discover that their employer had put their information into the public domain increased the worry and fear that they were being targeted by terrorists.”
He welcomed the reduced fine for the PSNI.
“The PSNI could make better use of the £750,000 fine … it could be used in the workplace to support colleagues or community initiatives.”
Central government funding will be required to pay for compensation and security upgrades, Mr Kelly added.
Thousands of police officers and civilian staff are also engaged in legal action seeking damages from the PSNI as a result of the data breach.
A Group Litigation Order was granted in the High Court in Belfast in March, paving the way for the claims to be heard.
The PSNI has said its potentially facing a bill of more than £240m (€282m) in security and compensation payouts.
