The UK Information Commissioner’s Office (ICO) has levied a substantial fine of £750,000 against the Police Service for Northern Ireland (PSNI) following a data breach in 2023 that exposed the personal information of all 9,483 officers and staff. This breach revealed sensitive details, including surnames, initials, ranks, and roles, putting many officers at risk, particularly as they often kept their employment confidential due to the persistent sectarian tensions in the region. The ICO’s investigation highlighted the serious implications of this breach, especially in a context where the safety of law enforcement personnel is a critical concern.
The breach occurred when the PSNI attempted to respond to two Freedom of Information requests made through the platform WhatDoTheyKnow, which facilitates public access to information under the Freedom of Information Act. While processing these requests, PSNI staff inadvertently downloaded a human resources database into an Excel spreadsheet and failed to remove a tab containing raw data. As a result, this sensitive information was publicly accessible for over two hours before being deleted, raising serious questions about the adequacy of the PSNI’s data handling procedures.
The exposure of this information has had profound effects on the affected individuals. Some staff members reported feeling unsafe, with one stating, “I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok.” The concerns of those affected are amplified by the current threat landscape in Northern Ireland, where the British Security Service rates the terrorism threat level as “substantial,” indicating a likely attack, particularly from dissident republican groups opposed to the peace process.
In light of the breach, the PSNI has accepted liability and is engaging in mediation talks to determine compensation for those impacted. The ICO noted that the fine included a significant discount applied to government agencies, which lowered the penalty from an original amount of £5.6 million. Deputy Chief Constable Chris Todd acknowledged that while the PSNI has accounted for most of the fine in its budget, it would need to find an additional £140,000 to cover the total amount. This incident serves as a stark reminder of the importance of robust data protection practices, particularly for organizations handling sensitive personal information.