The Police Service of Northern Ireland data breach: ‘simple human error’ has significant implications

This article was co-authored by Bethany Thompson, Solicitor Apprentice, Manchester.

This week’s news of a “monumental” data breach in Northern Ireland - where the personal details of 10,000 serving officers in the Police Service of Northern Ireland (PSNI) were mistakenly published online by the organisation itself - has created an elevated level of concern for the security of those officers.

This unfortunate incident exemplifies the importance of having robust policies and procedures in place which ensure the security of personal data, as well as displaying the potential real-world consequences of failing to do so.

Human error

The apparent mistake occurred following a Freedom of Information (FoI) request regarding the number of officers at each rank and the number of staff at each grade within the service. Instead of just publishing the numerical figures, the source data was published.

That error revealed the surname and initial, rank or grade, location and department of all current PSNI staff, including those working in particularly sensitive areas of the PSNI such as surveillance, undercover and intelligence.

The data was then made available on a FoI website, What Do They Know, for around three hours before it was removed.

The PSNI have released a statement apologising for the error, confirming that they have reported the incident to the Information Commissioner’s Office (ICO) and launched their own internal investigation. Such is the gravity of the situation, the ICO have also released a public statement expressing “serious concerns” which require “appropriate action to be taken by the Police Service of Northern Ireland as a matter of urgency”.

'Severe' threat

Northern Ireland has come a long way since the Troubles, and today is a diverse and vibrant society, but the threat posed to police officers by terrorist organisations is real and ever present. In February this year, a senior officer suffered life changing injuries when he was shot multiple times whilst attending a youth football event with his young son. The terror threat level in Northern Ireland has since been raised to ‘severe’, largely due to the threat posed to police officers.

What can other organisations learn from this?

This incident raises a number of important points for all organisations:

  • Whilst the well-publicised threat of ransomware (and other forms of cyber attack) is a major threat to organisations, human error accounts for a substantial proportion of data breaches. The PSNI have described this incident as being down to “simple human error”, but whether adequate procedures were in place to minimise the risk of such incidents remains to be seen.
  • The failure to adequately protect data has the potential to have real life implications for data subjects. In the days that have followed this breach, it has been reported that some officers are considering moving home, and even leaving their job entirely.
  • The assessment of whether data is ‘high risk’ is one which is subjective to each circumstance. A name and job title for an individual working in an accountancy practice in Leeds may not be considered to be high risk, whereas the same data for a police officer in Northern Ireland represents an entirely different scenario.
  • Having adequate training, processes and safeguards in place are key to avoiding accidental data breaches. Not only can adequate measures prevent incidents such as these, but they are also a requirement under the UK General Data Protection Regulations 2018 (GDPR). Article 5(1)(f) GDPR states that personal data should be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing, which requires data controllers to have appropriate technical or organisational measures in place.
  • Whilst FoI requests only apply to public authorities, private organisations may also be subject to Data Subject Access Requests under Article 15 GDPR, which are ripe for similar disclosure errors in the absence of adequate policies and procedures.

Group action pending?

One of the reasons group actions involving data breaches have so far failed to get off the ground in the UK is due to the requirement for claimants to show that they have suffered actionable damage. It is unlikely the PSNI officers will have any such difficulty in showing a heightened level of distress in these circumstances.

The facts are similar to the case of TLT v Secretary of State for the Home Department [2016]. In this case, the defendant erroneously uploaded a spreadsheet containing personal data relating to over 1,000 people who had applied for asylum in the UK. A number of people named on the spreadsheet successfully brought a claim for breach of the Data Protection Act 1998 and Misuse of Private Information. The claimants were awarded between £2,500 and £12,500 in damages.

The data itself in the TLT case can be deemed more intrusive than in the PSNI breach. However, a key consideration in the decision to award damages was the impact of the breach upon each claimant, which means litigation against the PSNI may be inevitable.

The PSNI incident is an unfortunate reminder that data can hold real world significance for anyone to whom that data relates. Organisations have a legal duty to protect that data, and by doing so protect their employees. The ICO and the courts are unlikely to look favourably upon any organisation which fails to do so.

Comment and comparison with the Electoral Commission (EC) data breach

Both the EC and the PSNI have come under scrutiny recently in relation to data breach incidents that both came to light to the public on the same day.

While the circumstances of both incidents contrast – one involving unauthorised access to systems by a nefarious third party, and the other arising from human error – it is helpful to consider the nature of data involved with each incident, and the potential implications for all organisations.

On paper, the personal data involved in the EC incident (names/addresses/contact details) and the personal data in the PSNI incident (seemingly just names, rank and station location) appear broadly similar.

There seems little doubt however, that the PSNI breach can be considered to give rise to a significantly higher risk compared to that of the EC data. It is the very fact that police officers’ names have been revealed by the PSNI which has caused so much concern, whereas the names of people on the EC’s register is comparatively innocuous.

To organisations, this should highlight the importance of assessing the level of risk that may arise from a data breach depending on the nature of the data held. Assessments should not only consider the type of data held but all other external factors which may increase the likelihood of the data being high risk if the information were to be publicised. This should help form both data retention policies, as well as breach response planning in the event of a future data breach.

Related item: The Electoral Commission data breach: three key takeaways

Related content