Police Service of Northern Ireland’s £750,000 fine: A case in point of the UK ICO's public sector regulatory policy

In delivering the UK Information Commissioner’s Office (ICO)’s decision of 3 October to impose a £750,000 fine on the Police Service of Northern Ireland (PSNI) for a significant data breach, John Edwards, the Information Commissioner, described the incident as the worst his office had encountered in terms of its security implications.

The breach highlights the severe consequences of mishandling personal data, especially in high-risk contexts. Beyond the regulatory fine, the incident has led to approximately 7,000 civil claims from affected officers and staff, with damages and costs potentially reaching £140 million.

This case serves as a sobering reminder for organisations of the real world impacts of failing to protect adequately personal data.

The Incident: What Went Wrong?

On 3 August 2023, the PSNI responded to a Freedom of Information (FOI) request, asking for the number of officers and staff at each rank. However, the PSNI uploaded a spreadsheet which contained a hidden tab with sensitive data to a public website. By doing so, it inadvertently disclosed the personal information including the names, ranks, contract types, and posting details of almost 10,000 police officers and staff.

The document remained accessible for a total of 2 hours and 20 minutes before being removed. While the breach was brief, the implications were severe. On 14 August 2023, the PSNI issued a statement confirming that the information was in the possession of dissident republican groups. In a region like Northern Ireland, where security threats to police officers are a constant concern, this breach created very significant risks to their safety.

Fundamental UK GDPR Breaches

The ICO determined that the PSNI violated the UK GDPR by failing to implement adequate security measures and procedures. The key provisions breached include:

Article 5(1)(f): Personal data must be processed in a manner that ensures appropriate security, including protection against accidental loss, unauthorised access, destruction or damage, by using appropriate technical and organisational measures
Article 32(1): Controllers and processors must implement security measures appropriate to the risk.
Article 32(2): In assessing the level of security required, organisations must consider the risks associated with processing activities.

The ICO’s investigation revealed that the PSNI’s policies and training for handling FOI requests were inadequate given the high risk nature of the data involved. In Northern Ireland, the persistent threat to police officers necessitates a heightened level of security.

Post-Breach Regulatory and Civil Enforcement

ICO Fine: A Reduced Penalty for Public Sector Breaches
The ICO initially assessed the fine at £5.6 million but reduced it to £750,000 due to its policy of adopting a lighter enforcement approach toward public sector organisations. This reduction reflects the ICO’s recognition of the financial pressures faced by public bodies but does not negate the seriousness of the breach.

Civil Claims: A Greater Financial Risk
While the fine itself is significant, the civil claims filed by affected officers and staff pose a much greater financial threat. With an estimated 7,000 active claims, damages and costs could reach £140 million.

A similar case in Northern Ireland involved 80 individuals, whose email addresses were leaked due to an error by a body investigating historical institutional abuse and by implication revealing the victims. In that case, test claims settled for £30,000 in damages each, illustrating the potential liability for organisations handling sensitive data.

Key Lessons for Organisations

The PSNI breach underscores the importance of proactive data protection measures, particularly in high-risk environments. Organisations should take the following steps to mitigate risks:

Robust Policies and Training: In particular, organisations need to give careful thought to develop and enforce comprehensive policies for handling FOI and Subject Access Requests (SARs), as well as providing regular training to staff, emphasising the risks associated with sensitive data.
Data Minimisation and Formats: Organisation should handle with care file types such as Excel, which can inadvertently expose hidden data. Instead, it is recommended to use secure formats like PDF documents for public disclosures. The implementation of data minimisation principles remains critical to limit the scope of data processed or disclosed.
Data Protection Impact Assessments (DPIAs): Whenever processing special category data or sensitive data is likely to result in a high risk, it is required to conduct a DPIA. Organisations are expected to regularly evaluate the level of risks associated with the data being processed and implement security measures proportionate to the sensitivity and risk level of the data.

The PSNI breach demonstrates how a relatively minor procedural failure—such as not properly managing hidden data in an Excel spreadsheet—can lead to catastrophic consequences. For organisations, the case serves as a wake-up call to review their data protection policies, protocols and security measures, particularly when handling sensitive or high-risk information.

If your organisation requires assistance with data protection compliance or incident response, Kennedys’ global data privacy team is ready to provide expert support.

Related articles: