The Police Service of Northern Ireland has been fined £750,000 after the personal information of its entire workforce were exposed.

In a statement, the Information Commissioner’s Office found that “simple-to-implement procedures” could have prevented the serious breach, in which hidden data on a spreadsheet were accidentally released as part of a freedom of information request.

The surnames, initials, ranks and roles of all 9,483 PSNI officers and staff were disclosed.

John Edwards, UK Information Commissioner said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.

“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff. A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.”

Fine is Regrettable

Jon Boutcher, chief constable of the Police Service of Northern Ireland said that the fine is “regrettable”, given the financial constraints it is currently facing. This fine will further compound the pressures the Service is facing.

“Following the ICO’s announcement in May that they intended to impose a fine and issue an Enforcement Notice we made representations regarding the level of the fine and the requirements in their enforcement notice,” he said.

“While we are extremely disappointed the ICO have not reduced the level of the fine, we are pleased that they have taken the decision not to issue an Enforcement Notice. That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.”

Public Money

The ICO said it is mindful of the current financial position at PSNI, and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.

“Whilst I am aware of the financial pressures facing PSNI, my role as Commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines,” Edwards said. “I am satisfied, with the application of the public sector approach, this has been achieved in this case.”

Boutcher said the PSNI continues to progress the recommendations made by the ICO, and also the recommendations made by the Independent Review Team who published their findings in December 2023, including the establishment of the Deputy Chief Constable as the Senior Information Risk Owner (SIRO) and the establishment of a Strategic Data Board and Data Delivery Group, ensuring that information security and data protection matters are afforded the support and attention they critically deserve.

“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future,” Boutcher said.

As reported in April, a compensation claim is being brought against the PSNI, which could potentially cost the organisation £240 million in security and compensation payouts to officers. 

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.