The Information Commissioner has said accountability comes in many forms after questions were asked following a major data leak by police.
The Police Service of Northern Ireland (PSNI) was fined £750,000 for an “egregious” data breach in which the personal information of staff and officers was released.
The Information Commissioner’s Office (ICO) fined the organisation for the “serious” breach that left many PSNI workers fearing for their safety, and said “simple-to-implement” procedures could have prevented it.
However questions have been asked around whether anyone has been made accountable for the breach.
Appearing before the Northern Ireland Policing Board, Information Commissioner John Edwards said that accountability “comes in many forms”.
“The chief constable is sitting in front of the Northern Ireland Policing Board and that is a principal form of accountability in this community,” he said.
He pointed out he is a regulator and it is his job to administer data protection regulations to ensure that data is kept safely and securely, and not misused.
While he said that in his time in the job, this incident was “right at the edge of the most serious” he had seen, he went on to tell the board that he believes significant improvements have been made and the public can be reassured that the PSNI does take its obligations in relation to personal data very seriously.
Policing Board chair Mukesh Sharma described the breach as a “critical incident which had serious reverberations within and outside of the PSNI”.
The ICO had previously announced its intention in May to fine the organisation £750,000 and Thursday’s announcement is confirmation of the final figure.
The breach happened in August 2023, when a spreadsheet released as part of a freedom of information request held hidden data with the initials, surname, rank and role of all 9,483 PSNI officers and staff.
Police later said the information had got into the hands of dissident republicans.
In the aftermath of the leak, some officers chose to relocate their homes, cut contact with family members, and change daily routines.
The UK data regulator said that the fine should have been £5.6 million, but as it was “mindful” of the financial constraints faced by the PSNI, it used its discretion to reduce the total amount.
Mr Edwards said it was “a lack of simple, internal processes” that led to the “particularly egregious breach”.
He said it served as “a lesson for all organisations” to check their process around data protection.
Mr Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.
“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff.
“A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.
“Whilst I am aware of the financial pressures facing PSNI, my role as commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines. I am satisfied, with the application of the public sector approach, this has been achieved in this case.”
Deputy Chief Constable Chris Todd said he wanted to acknowledge the impact the breach had, which was “difficult” for staff and officers.
Asked about what the total costs would be, Mr Todd said that a universal payment of up to £500 for individual security measures for staff and officers had cost £3.4 million.
He said that around 7,000 claimants had taken legal action against the organisation over the breach, which he said would be “the biggest chunk of expenditure”.
“In June, that process went before the courts and we accepted liability, so that was committed to in June and the courts are now working through that process to determine how much exactly that will be,” he said.
He added the £750,000 fine will “add to pressures” on “woefully underfunded” police services.
“We made the representations obviously hopeful that there might be an adjustment,” he said, adding that they would not be appealing against the amount.
PSNI Chief Constable Jon Boutcher said that the service was “in a different place today than we were last August”.
He said that “tireless” work continues to “devalue” the compromised dataset, and “significant” crime prevention advice has been offered to officers and staff.
He added: “Today’s confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing.
“This fine will further compound the pressures the service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.”
He said: “While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an Enforcement Notice.
“That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.
“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”
The Police Federation for Northern Ireland (PFNI) said it was “disappointed” at the £750,000 fine on an “already cash-strapped” organisation.
PFNI chairman Liam Kelly said the breach caused “widespread understandable distress and concern” and forced people to re-think their personal security.
He added: “A fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation. Even though provision was made for most of this last year, there is still a hefty sum of money to come out of the current budget.
“We’re disappointed that our submissions on the level of the fine were not fruitful.
“We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local councils.
“We’re grateful the Information Commissioner’s Office applied discretion on the level of fine to be imposed which would have been £5.6 million. Had that happened, I have no doubt that immense harm would have been caused to the Service and the range of services the public have a right to expect.”
