Accountability comes in many forms – Information Commissioner

3 October 2024, 13:54

UK Information Commissioner John Edwards
UK Information Commissioner John Edwards. Picture: PA

John Edwards was speaking after questions were asked about who was made accountable for a major data leak by the PSNI.

The Information Commissioner has said accountability comes in many forms after questions were asked following a major data leak by police.

The Police Service of Northern Ireland (PSNI) was fined £750,000 for an “egregious” data breach in which the personal information of staff and officers was released.

The Information Commissioner’s Office (ICO) fined the organisation for the “serious” breach that left many PSNI workers fearing for their safety, and said “simple-to-implement” procedures could have prevented it.

However questions have been asked around whether anyone has been made accountable for the breach.

Appearing before the Northern Ireland Policing Board, Information Commissioner John Edwards said that accountability “comes in many forms”.

“The chief constable is sitting in front of the Northern Ireland Policing Board and that is a principal form of accountability in this community,” he said.

He pointed out he is a regulator and it is his job to administer data protection regulations to ensure that data is kept safely and securely, and not misused.

While he said that in his time in the job, this incident was “right at the edge of the most serious” he had seen, he went on to tell the board that he believes significant improvements have been made and the public can be reassured that the PSNI does take its obligations in relation to personal data very seriously.

Policing Board chair Mukesh Sharma described the breach as a “critical incident which had serious reverberations within and outside of the PSNI”.

The ICO had previously announced its intention in May to fine the organisation £750,000 and Thursday’s announcement is confirmation of the final figure.

The breach happened in August 2023, when a spreadsheet released as part of a freedom of information request held hidden data with the initials, surname, rank and role of all 9,483 PSNI officers and staff.

Police later said the information had got into the hands of dissident republicans.

In the aftermath of the leak, some officers chose to relocate their homes, cut contact with family members, and change daily routines.

The UK data regulator said that the fine should have been £5.6 million, but as it was “mindful” of the financial constraints faced by the PSNI, it used its discretion to reduce the total amount.

The ICO investigation found that the breach caused anxiety and distress for PSNI staff and officers, with some stating that they had left the organisation or lost sleep due to concern about their safety.

Mr Edwards said it was “a lack of simple, internal processes” that led to the “particularly egregious breach”.

He said it served as “a lesson for all organisations” to check their process around data protection.

Mr Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.

“It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff.

“A lack of simple internal administration procedures resulted in the personal details of an entire workforce – many of whom had made great sacrifices to conceal their employment – being exposed.

“Whilst I am aware of the financial pressures facing PSNI, my role as commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines. I am satisfied, with the application of the public sector approach, this has been achieved in this case.”

Deputy Chief Constable Chris Todd said he wanted to acknowledge the impact the breach had, which was “difficult” for staff and officers.

Asked about what the total costs would be, Mr Todd said that a universal payment of up to £500 for individual security measures for staff and officers had cost £3.4 million.

He said that around 7,000 claimants had taken legal action against the organisation over the breach, which he said would be “the biggest chunk of expenditure”.

“In June, that process went before the courts and we accepted liability, so that was committed to in June and the courts are now working through that process to determine how much exactly that will be,” he said.

He added the £750,000 fine will “add to pressures” on “woefully underfunded” police services.

“We made the representations obviously hopeful that there might be an adjustment,” he said, adding that they would not be appealing against the amount.

PSNI Chief Constable Jon Boutcher said that the service was “in a different place today than we were last August”.

He said that “tireless” work continues to “devalue” the compromised dataset, and “significant” crime prevention advice has been offered to officers and staff.

He added: “Today’s confirmation that the ICO has imposed a £750,000 fine on the Police Service of Northern Ireland is regrettable, especially given the financial constraints we are currently facing.

“This fine will further compound the pressures the service is facing. Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.”

He said: “While we are extremely disappointed the ICO have not reduced the level of the fine we are pleased that they have taken the decision not to issue an Enforcement Notice.

“That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests.

“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”

The Police Federation for Northern Ireland (PFNI) said it was “disappointed” at the £750,000 fine on an “already cash-strapped” organisation.

PFNI chairman Liam Kelly said the breach caused “widespread understandable distress and concern” and forced people to re-think their personal security.

He added: “A fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation. Even though provision was made for most of this last year, there is still a hefty sum of money to come out of the current budget.

“We’re disappointed that our submissions on the level of the fine were not fruitful.

“We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local councils.

“We’re grateful the Information Commissioner’s Office applied discretion on the level of fine to be imposed which would have been £5.6 million. Had that happened, I have no doubt that immense harm would have been caused to the Service and the range of services the public have a right to expect.”

By Press Association

More Technology News

See more More Technology News

Alexander McCartney, 26, has admitted 185 charges involving 70 children

Online predator who drove 12-year-old catfish victim to suicide to be sentenced after admitting 185 charges

Sewell Setzer III and his mother

Boy, 14, 'killed himself after becoming obsessed with Game of Thrones A.I chatbot'

Meta is set to introduce facial recognition technology to crack down on celebrity advert scams

Facebook and Instagram launch technology to crack down on celebrity scam adverts

Tesla used this AI-Generated image at their We, Robot event

Blade Runner 2049 creators sue Elon Musk over AI-generated Robotaxi images

Mark Zuckerberg speaks about Meta AI during the Meta Connect Conference in California in September

Meta AI tools come to UK for first time

Google Stock

US government says it is considering breaking up Google after competition case

A woman’s hand pressing keys on a laptop keyboard

Lack of digital confidence costing people money and job opportunities – study

A person using a laptop

Government opens new competition to find next generation of cybersecurity talent

Exclusive
Ukrainian military learn to fly drones with bombs attached at a special school on May 12, 2023 in Lviv region Ukraine.

Ukraine’s AI-powered drone swarms signal the future of warfare and 'level the playing field' with Russia, report reveals

Web search page with Google

Google ordered to open app store to rivals by US judge

Appeals Centre Europe is an independent body (PA)

Social media users can appeal over content disputes to new settlement body

A close-up of a group of young people looking at mobile phones

Fear of missing out sees girls stay online despite negativity, survey finds

A close up of copper inside electrical cables

Recycling old cables could help provide copper needed for green tech – study

A woman’s hands on a laptop keyboard.

New regulatory office ‘to help new tech reach public faster’

Woman talking on mobile phone and working on laptop

New AI-powered scam detection tool launches

Google screen

Google brings more AI to search engine in ‘significant’ update