Police service faces £750k fine for data breach

ICO reduces PSNI fine from £5.6 million

The Police Service of Northern Ireland (PSNI) is facing a £750,000 fine after a significant data breach last year exposed the identities of all 9,483 serving officers and staff.

The incident, described as a "perfect storm of risk and harm" by the Information Commissioner's Office (ICO), marks the worst security breach in UK police history.

"Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people's lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life," said Information Commissioner John Edwards.

Edwards highlighted the gravity of the mistake, noting that "simple, practical policies could have prevented this potentially life-threatening incident."

The ICO initially considered a £5.6 million fine but reduced it to £750,000 to avoid further burdening public finances.

The breach occurred in August 2023 when a junior staff member mistakenly published a spreadsheet containing the data of its entire workforce. This included surnames, initials, ranks and roles of all officers and staff, some of whom work directly with the security service MI5.

A total of 345,000 pieces of information were exposed within a "hidden" tab of the spreadsheet, uploaded in response to a Freedom of Information (FOI) request.

Compounding the error, six staff members failed to detect the mistake before publication.

The ramifications were severe. Police later confirmed the leaked information reached dissident republican groups, a particularly concerning development in Northern Ireland, where officers are already high-value targets for terrorist attacks.

The data breach led to the resignation of chief constable Simon Byrne and prompted a joint review by the PSNI and Policing Board.

Chris Todd, Byrne's successor, attributed the error to a "systems failure," with potential costs ballooning to an estimated £240 million for security upgrades and compensation payouts.

The ICO investigation exposed significant shortcomings in the PSNI's internal procedures for data disclosure. The force lacked adequate sign-off protocols, contributing to the catastrophic error.

Todd expressed regret over the ICO's proposed fine, acknowledging its financial impact on the force. He confirmed ongoing efforts to identify those responsible and retrieve the leaked data, with some arrests already made.

"Training of officers and staff is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future," said Todd.

To mitigate the damage, the PSNI has offered safety advice and financial assistance to affected personnel.

An independent review conducted last year revealed a culture within the PSNI that underestimated the importance of data protection.

Published in December 2023, the report made 37 recommendations, 14 of which have already been implemented. These include creating a dedicated data security leadership role and updating internal policies.

The ICO has also issued a preliminary enforcement notice, requiring the PSNI to enhance information security protocols when responding to FOI requests.