The Information Commissioner's Office (ICO) has issued a £750,000 monetary penalty to the Police Service Northern Ireland (PSNI) following the personal data breach in 2023. The breach occurred when an Excel spreadsheet containing the names, roles, ranks, grades, departments, locations, contract types, gender, and PSNI service and staff numbers of all 9,483 officers and staff was included in a Freedom of Information Act response via the WhatDoTheyKnow website.
Before release, multiple worksheets were created in the spreadsheet for analysis. While most of the worksheets were deleted, the original remained unnoticed, even though a quality assurance process was applied.
Commenting on the PSNI data breach, Information Commissioner John Edwards said, "I cannot think of a clearer example to prove how critical it is to keep personal information safe.
"It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff. A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed."
Despite the seriousness of the breach, Commissioner Edwards said that he was concerned about the "current financial position at PSNI and not wishing to divert public money from where it is needed." Accordingly, Edwards used his discretion to apply the public sector approach, reducing the fine from £5.6 million.
PSNI Chief Constable Jon Boutcher said, "Today's confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing. This fine will further compound the pressures the Service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.
"Following the ICO's announcement in May that they intended to impose a fine and issue an Enforcement Notice we made representations regarding the level of the fine and the requirements in their enforcement notice. While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an Enforcement Notice. That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests."
In a separate statement, data protection specialist Jon Baines commented on the action taken by the ICO, pointing out that following a similar spate of incidents in councils and the NHS more than a decade ago, it is "shocking" that such a breach was allowed to happen. Baines also highlighted the unusual practice of allowing the Chief Constable of PSNI to comment on the disappointing high fine applied, adding, "Chief Constable Boucher – you got off lightly".
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.