The Information Commissioner’s Office has issued a GDPR fine of £750,000 to the Police Service of Northern Ireland (PSNI) for a personal data breach affecting thousands of officers.
In August 2023, in response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 9,483 PSNI officers and staff, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety.
The ICO investigation found that simple-to-implement procedures could have prevented the breach. The ICO’s statement said:
“Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.”
On 26th June 2024, the ICO announced that it will review the two-year trial before making a decision on the public sector approach in the autumn. The Notice of Intent issued to the PSNI before this fine was issued, was also in the sum of £750,000.
In August this year, the ICO issued a Notice of Intent £6.09 million to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022. This came after the ICO found that the company failed to adequately protect the personal data of 82,946 individuals. It will be interesting to see if, here too, the actual fine will be the same as the notice.
0 Comments