The PSNI must pay £750,000 for the data leak that led to information on all officers and staff being released last August, the Information Commissioner’s Office has ruled.
Names, job role, rank, grade, department, location of post, gender and PSNI service and staff number of 9,483 individuals were released by mistake following a Freedom of Information request last August.
Information Commissioner John Edwards signalled earlier this year he would issue a fine of £750,000 but waited for the force and rank and file representatives to respond before making his final decision.
PSNI Deputy Chief Constable Chris Todd said the fine is “regrettable, especially given the financial constraints we are currently facing”.
“This fine will further compound the pressures the Service is facing,” DCC Todd said, adding the majority of the cost was included in last year’s budget but a further £140,000 will have to found this year.
Mr Edwards said his office took into account the PSNI’s current perilous finances but added that the “nature of the breach and the impact on the people really demand a deterrent and a strong signal...particularly in a situation of security vulnerability”.
The commissioner said the office was mindful of the organisation’s finances and that the fine would have been £5.6 million if he had not used his discretionary powers to lower the amount so that money was not diverted away from important “public sector” work.
At 2.31pm on August 8 last year the file was uploaded to the What Do They Know site. Senior police were alerted at approximately 4.10pm but it was another 40 minutes before it was hidden from view, then deleted just before 5.30pm.
Following the data leak, the PSNI announced they were working on the assumption that the file was in the hands of dissident republicans.
Mr Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe. It is impossible to imagine the fear and uncertainty this breach – which should never have happened – caused PSNI officers and staff.”
DCC Todd welcomed the decision by the commissioner not to issue an enforcement notice, which he said “is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information in particular when responding to FOI requests”.
Police Federation chair Liam Kelly said the breach “caused widespread understandable distress and concern and forced a major re-think of personal security” but that a “fine of this magnitude on an already cash-strapped PSNI will have a negative impact on the organisation”.
“We would have preferred if PSNI could have been permitted to alternatively spend the funds on enhancing its data security and provide much needed reinvestment in community safety initiatives such as road safety programmes and CCTV funding in partnership with local Councils,” Mr Kelly added.
Approximately 7,000 individuals are involved in legal actions over clams of negligence and breaches of data protection and privacy. A mediation process has started to assess the level of damages.
Nicolas Hanna KC, counsel for the PSNI, told the High Court last week: “Liability is no longer an issue, it’s (now) a matter of causation and damages.”