The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

£750,000 fine for the Police Service of Northern Ireland

26 November 2024

The ICO have issued a penalty notice against the Police Service of Northern Ireland (“PSNI”) to the tune of £750,000 following a breach of the UK GDPR. The series of events was triggered by the inadvertent disclosure of the personal data of 9,483 PSNI officers and staff on 8 August 2023 which led to an ICO investigation. As a result, the ICO found that between 25 May 2018 – 14 June 2024 the PSNI had infringed articles 5(1)(f), 32(1) and (2) of the UK GDPR.

On 8 August 2023 a spreadsheet was released and published online in response to a freedom of information request (“FOI”). The spreadsheet contained the names (surname and initial), rank, contract types, and cost codes regarding post funding for all PSNI officers and staff. The spreadsheet was available online for 2 hours 20 minutes. PSNI stated that they were confident that the data was in the hands of “dissidents” who would seek to use the information to intimidate or target officers and staff. PSNI self-reported to the ICO and undertook their own internal investigation and in their own report the breach was described as “the most significant data breach that has ever occurred in the history of UK policing…” (see the PSNI Independent review final report, 11 December 2023, p. 2-3).

The penalty imposed upon PSNI was not simply in respect of the 2 hour 20 minute publication of the data but rather due to the ICO looking at the procedures PSNI had in place to handle FOI requests. The ICO discovered that PSNI staff did follow the procedures in place at the time which did not prevent the data being disclosed. Therefore, the ICO found that the procedures, policies and guidance themselves did not amount to an appropriate organisational measure and they did not ensure appropriate security of the personal data which was subject to the relevant processing. As such, the ICO came to the view that PSNI had infringed articles 5(1)(f), 32(1) and (2) UK GDPR.

When deciding whether to give a penalty notice, and determining the appropriate amount of that penalty, section 155(2)(a) DPA requires the ICO to have regard to the matters listed in article 83(1) and (2) UK GDPR, insofar as relevant. In this case, the ICO was satisfied that the case was sufficiently egregious to warrant the imposition of the penalty. The ICO originally considered that the appropriate penalty would be £5,600,000 but they had regard to the revised approach to public sector enforcement that has been in place since 2022 and therefore the need to reduce the impact of fines on public bodies and they reduced the fine to £750,000.

This decision provides two warnings. Firstly, being aware of the perils of hidden data when responding to FOI request and secondly, the importance of having policies and procedures in place that are appropriate to guarding against the risk of harm that could occur from unlawful or inadvertent disclosure.

Further reading:

ICO Penalty Notice – Police Service of Northern Ireland

PSNI Independent review final report, 11 December 2023

ICO sets out revised approach to public sector enforcement

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Affiliations

 

Affiliations

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)