The PSNI has avoided a £5.6m fine for a data breach last August that exposed information about almost 9,500 officers and civilian staff.
However, it must pay a £750,000 sanction after an investigation by the Information Commissioner’s Office (ICO).
The data, which fell into the hands of dissidents, left many officers fearing for their safety.
The investigation found “simple-to-implement procedures” could have prevented the incident, in which data on a spreadsheet released as part of a Freedom of Information request revealed the surnames, initials, ranks and roles of all the force’s employees.
The ICO said it was “mindful” of the PSNI’s financial position and did not wish to divert public money from where it was needed, and used its discretion to apply a public sector approach.
Had this not been the case, the fine would have been £5.6m.
The leak occurred after police received two FoI requests from the same person via the WhatDoTheyKnow (WDTK) website.
The first asked for the number of officers at each rank and number of staff at each grade; the second for a distinction between how many were substantive/temporary or acting.
The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system (SAP).
The data included surnames initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.
Read more
As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file.
However, the original worksheet containing the personal details wasn’t noticed.
The file was uploaded to the WDTK website at 2.31pm on August 8, 2023.
The PSNI was alerted by its own officers at 4.10pm that day.
The Belfast Telegraph was also made aware of the breach around the same time.
The file was deleted from the website at 5.27pm. However, by then it had been shared dozens of times.
Six days later the PSNI said it assumed dissident republicans had the information.
The then Chief Constable Simon Byrne said: “We are working round the clock to assess and mitigate this risk.”
Within days printed copies of the data appeared on a wall in west Belfast alongside a photograph of Sinn Fein policing spokesman Gerry Kelly and a threatening message.
Mr Kelly said: “This is a very obvious attempt by dissident republicans to intimidate me.
“Even more sinister, this is a very public indication that the dissidents do have access to the sensitive information in the data leak document.
“It therefore represents a very real threat to the officers and the civilian staff involved.”
Information Commissioner John Edwards said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe.
“It is impossible to imagine the fear and uncertainty this breach — which should never have happened — caused PSNI officers and staff.
“A lack of simple internal administration procedures resulted in the personal details of an entire workforce — many of whom had made great sacrifices to conceal their employment — being exposed.
“Whilst I am aware of the financial pressures facing the PSNI, my role as commissioner is to take action to protect people’s information rights and this includes issuing proportionate, dissuasive fines.
“I am satisfied, with the application of the public sector approach, this has been achieved in this case.
“Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.”
The investigation listened to complaints from police and civilian staff.
One officer said: “Everything has culminated and become too much for me to the point that I have accepted another job outside of the police.
“I am essentially taking a pay cut, not to mention leaving the job that I dreamed of since I was a small child and geared my whole life towards.”
Other officers said they had followed all security advice by not telling people they were in the PSNI, deleting social media and not being on the electoral roll — only to have personal information leaked by their employer.
Despite missing out on the much higher financial penalty, Deputy Chief Constable Chris Todd said the ruling was “regrettable” given the financial constraints on the force.
He added: “This fine will further compound the pressures the service is facing.
“Although the majority of the cost (£610,000) was accounted for against the budget last year, a further £140,000 will now be charged against our budget in the current financial year.
“Following the ICO’s announcement in May that they intended to impose a fine and issue an enforcement notice, we made representations regarding the level of the fine and the requirements in their enforcement notice.
“While we are extremely disappointed the ICO have not reduced the level of the fine, we are pleased that they have taken the decision not to issue an enforcement notice.
“That decision is as a direct result of the police service proving to the ICO that we had implemented the changes recommended to improve the security of personal information, in particular when responding to FoI requests.
“The personal testimonies serve as a stark reminder of the impact the data loss had on our officers and staff and I know this will once again be to the forefront of their minds.
“As a service, we are in a different place today than we were last August and we have continued to work tirelessly to devalue the compromised dataset by introducing a number of measures for officers and staff.
“We have provided significant crime prevention advice to our officers and staff and their families via online tools, advice clinics and home visits.
“Work is ongoing to ensure everything that can be done is being done to mitigate any risk of such a loss occurring in the future.”