ICO fine for Police Service of Northern Ireland
What went wrong and what can we learn from this data breach?
You may recall the awful data breach last summer by the Police Service of Northern Ireland (PSNI). The personal details of its entire workforce (9,483 officers and staff) were accidentally exposed in response to a Freedom of Information request. The dreadful mistake left many fearing for their safety with an assumption the information shared got into the hands of dissident republicans.
This was a simple mistake involving a spreadsheet, which ALL organisations should take heed of.
The ICO has announced a £750,000 fine and says simple-to-implement procedures could have prevented this serious breach. If the ICO had not applied its discretionary approach for the public sector, the fine would otherwise have been £5.6 million. But in assessing the level of the fine, the current financial position of the PSNI and a desire not to divert public money from where it’s needed, were taken into account. A commercial organisation would have faced a much heftier financial penalty.
What went wrong?
The PSNI received two Freedom of Information requests in August 2023 from the same person. These came via WhatDoTheyKnow (WDTK); a platform which helps people submit requests and publishes responses. The requests were for information about the number of officers at each rank and number of staff at each grade, and some other details.
This information was downloaded in the form of an Excel file from the PSNI’s HR system and included personal data relating to all employees. During the analysis, multiple other worksheets were created within the same file. Once completed all visible worksheets were deleted.
But when the file was subsequently uploaded to the WDTK website, it emerged a hidden worksheet remained containing personal details. This had gone unnoticed, despite quality assurance. More detail is available in the ICO Penalty Notice.
In this case the evidence of the distress and harm caused by this data breach was evident. The ICO has published some of the comments from police officers affected, including: “How has this impacted on me? I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok. I have spent over £1000 installing modern CCTV and lighting around my home, because of the exposure.”
In announcing the penalty fine, John Edwards, UK Information Commissioner said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe… Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.”
What lessons can we learn?
While this is a particularly serious case, the ICO says mistakes when disclosing information via spreadsheets are nothing new. Public Authorities in particular are being urged to make sure robust measures are in place to make sure personal information is kept safe and the risk of human error is reduced. The regulator has published a useful checklist for any disclosures made using Excel:
✔ Delete hidden columns, rows and worksheets that are not pertinent to the request
✔ Remove any linked data from pivot tables, charts and formula which are not part of the request
✔ Remove all personal data and special category data which is not necessary to provide to fulfil the request
✔ Remove any meta data
✔ Make sure the file size is as you’d expect for the volume of data being disclosed
✔ Convert files to CSV
More information is available in an ICO Advisory Note
Crucially, organisations need to make sure all staff involved in the disclosure process have been given appropriate training. It’s too easy to point the finger at individuals for making mistakes, when it’s often a lack of robust procedures, training and final ‘pre-send’ checks which are ultimately to blame.