The PSNI is facing a £750,000 fine following the spreadsheet error that exposed the personal information of its entire workforce.
The Information Commissioner’s Office (ICO) said the fine comes after information relating to more than 9,000 serving PSNI officers and staff was published online in August last year.
An investigation by the ICO has provisionally found the PSNI’s “internal procedures and sign-off protocols for the safe disclosure of information were inadequate”.
It comes after the personal information – including surname, initials, rank and role of all 9,483 serving PSNI officers and staff – was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request (FOI).
The ICO said the PSNI could be fined £750,000 for “failing to protect the personal information of its entire workforce”.
But it said the fine could have been £5.6 million if a “public sector approach not been applied”.
It said in September 2023 the Commissioner issued an advisory notice with recommendations public authorities should adopt to ensure personal information is not inappropriately included as part of a FOI response.
It said recognising “public money is best used to support the delivery of essential services, the Commissioner used his discretion to apply the public sector approach when calculating the PSNI provisional fine amount”.
It added that the approach is to “ensure public money is not diverted away from where it is needed most, while maintaining the right to issue fines in the most serious of cases”.
John Edwards, UK Information Commissioner, said: “The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.
“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.
“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.
“I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”
The ICO said the PSNI has been issued with a preliminary enforcement notice, which requires the force to improve the security of personal information when responding to FOI requests.
It added the Commissioner’s findings are provisional, and he will carefully consider any representations PSNI make before making a final decision on the fine amount.
In a statement the Policing Board said it “remains profoundly aware of the personal and professional impact that the 8 August data breach has had on officers and staff.”
The Board has continued to engage with both PSNI and staff associations over the last nine months to assess the ongoing effects of the breach and we welcome the actions taken by PSNI to mitigate the immediate impact and support those affected.
“PSNI have accepted the recommendations made in the jointly commissioned independent review into the data breach, and at our July board meeting we expect a detailed update on their implementation.
“The board will continue to monitor the timely implementation of these recommendations alongside any additional recommendations made by the Information Commissioner’s Office.”