Police car on street showing ICO fine for data leak

Negligent Employee Data Leak Earns North Ireland’s Police Service a Hefty ICO Fine

The Police Service of Northern Ireland was hit with a landmark ICO fine for its alleged failure to prevent a data leak that exposed its employees’ personal information.

“We have fined Police Service of Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety,” the ICO said.

The data breach stemmed from a freedom of information request in which PSNI released a spreadsheet containing the surnames, initials, ranks, and roles of all 9,483 police officers and staff.

Negligent PSNI data leak attracts a hefty ICO fine

According to the United Kingdom’s Information Commissioner’s Office (ICO), PSNI failed to implement simple procedures to prevent the data leak.

“Our investigation found that simple-to-implement procedures could have prevented the serious breach,” ICO stated.

The Commissioner noted that the landmark ICO fine was a lesson for all organizations to review their data disclosure procedures to ensure the safety of personal information under their control.

“I cannot think of a clearer example to prove how critical it is to keep personal information safe,” said John Edwards, UK Information Commissioner. “Let this be a lesson learned for all organizations. Check, challenge, and change your disclosure procedures to ensure you protect people’s personal information.”

Nonetheless, PSNI contested the punitive ICO fine, citing the current financial constraints the law enforcement agency faces.

“Today’s confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing,” said Boutcher, Chief Constable PSNI.

However, ICO insisted that negligent data leaks should not go unpunished, regardless of the culprit’s status in society or financial situation.

“Whilst I am aware of the financial pressures facing PSNI, my role as Commissioner is to take action to protect people’s information rights, and this includes issuing proportionate, dissuasive fines,” explained Edwards.

Attributing the reduced punishment to the “public sector approach,” the British privacy watchdog warned that the PSNI data leak warranted a bigger ICO fine.

“Had this not been applied, the fine would have been £5.6 million,” the ICO said.

The commissioner added that the “current financial position at PSNI” and the desire to avoid redirecting public money from where it is needed most, also influenced his decision to to reduce the ICO fine.

Cybersecurity impacts real life

Highlighting the severity of the PSNI data leak, the British privacy watchdog lamented that the breach handed “dissident republicans” the personal information of many PSNI officers, including many who “made great sacrifices to conceal their employment.”

“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff,” said Edwards.

Subsequently, some PSNI data leak victims had to exit police service prematurely due to the pressure of having their law enforcement careers exposed.

“Everything has culminated and become too much for me to the point that I have accepted another job outside of the police,” one victim said. “To say I am devastated is an understatement but I feel I have no choice.”

Another victim narrated how they struggled to keep their law enforcement career confidential to protect their families from possible attacks.

“I have also spent a considerable amount of effort to make our home private and secure to reduce [the] potential for attacks,” they said. “This has now been severely compromised and will require further expense to upgrade.”

Since 1992, the United Kingdom has grappled with separatists, who wish to leave the UK and reunite Northern Ireland with the Republic of Ireland, an independent country and EU member. Law enforcement officers are always a legitimate target, with over 300 killed in three decades.

Besides the punitive ICO fine, the British privacy regulator had also recommended the establishment of the Senior Information Risk Owner (SIRO), chaired by the Deputy Chief Constable, and the Strategic Data Board and Data Delivery Group, to prevent future data leaks.

Meanwhile, PSNI’s Chief Constable said work was in progress to “ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”

Nonetheless, PSNI data leak victims face persistent cyber and physical risks from having their sensitive personal information disclosed.