ICO fines the PSNI £750,000 following spreadsheet data breach…

Although not exactly hot off the press, as the fine was announced back in early October, but what has been described by the independent review “Protecting from Within” as:

the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff and communities cannot go unnoticed.

Following a widely reported data breach in August 2023, (which I’ve written about previously here and here) when the surnames and rankings of 9483 PSNI officers were accidentally leaked into the public domain in response to a Freedom of Information (FOI) request, the Information Commissioner’s Office has fined the PSNI £750,000 for not having adequate information security measures in place.

In a detailed 76 page document the ICO sets out the reasons for the fine and the background to the incident. But a helpful summary is available here.

The confidential information was contained within a hidden unmarked tab of the spreadsheet and was published on the publicly accessible “WhatDoTheyKnow” website for over two hours before the breach was discovered.

Significantly the report notes that the PSNI FOI procedures contained no guidance on checking FOI response letters or attachments for hidden data – a fact which quite simply beggars belief.

Astonishingly, the ICO notice states that the PSNI were regularly creating pivot tables for disclosure of data, thus creating a high risk of hidden data being unintentionally revealed.

What’s particularly disturbing and worrying – particularly for an organisation which regularly processes highly sensitive personal information – is that this was such a simple basic error which could so easily have been avoided. The personal impact of the breach on affected officers is unimaginable.

The classic “spreadsheet-with-hidden-tabs-containing-sensitive-data blunder” is just a step up from the email sent by mistake to [email protected] rather than [email protected] or the email CC’d to multiple recipients which should have been BCC’d. I’ve had experience of this as well. As commenters on this site have previously pointed out, a simple check of the spreadsheet by a skilled second pair of eyes before sending it out would have prevented such a disaster – or better still – converting the spreadsheet to a PDF to ensure there was no hidden data would not have taken much effort. Having worked in the data protection field for the best part of two decades this is something I constantly hammer home in training to new employees as a basic security precaution.

The PSNI Chief Constable was apparently “extremely disappointed” with the size of the fine.

However, it could have been much worse. A private company with a similar number of employees would have received a much larger fine of around £5.6 million. So it’s not unreasonable to say the PSNI got off lightly in this case by virtue of being a public sector body, with the Information Commissioner using his discretion “and not wishing to divert public money from where it is needed”.

To put things into further perspective the ICO recently issued a Notice of intent to fine an NHS IT supplier Advanced Computer Software Group Ltd £6.09 million following a ransomware incident where a customer account which did not have multi-factor authentication was hacked and the personal data of 82,946 individuals was subsequently exfiltrated.

The sort of incident as experienced by the PSNI was once common in the NHS and local councils over a decade ago in the early 2010s. But increased awareness campaigns by the ICO and other organisations were somewhat successful in reducing the occurrence of such breaches. Although clearly not in the PSNI’s case.

Lessons learnt the hard way indeed.


Discover more from Slugger O'Toole

Subscribe to get the latest posts sent to your email.

We are reader supported. Donate to keep Slugger lit!

For over 20 years, Slugger has been an independent place for debate and new ideas. We have published over 40,000 posts and over one and a half million comments on the site. Each month we have over 70,000 readers. All this we have accomplished with only volunteers we have never had any paid staff.

Slugger does not receive any funding, and we respect our readers, so we will never run intrusive ads or sponsored posts. Instead, we are reader-supported. Help us keep Slugger independent by becoming a friend of Slugger. While we run a tight ship and no one gets paid to write, we need money to help us cover our costs.

If you like what we do, we are asking you to consider giving a monthly donation of any amount, or you can give a one-off donation. Any amount is appreciated.