A spreadsheet was accidentally published online containing the surnames, initials, ranks, locations, and departments of all current Police officers and civilian staff in the Police Service of Northern Ireland (PSNI). The data was published in response to a freedom of information request and was made available to the public.
Assistant Chief Constable, Chris Todd, made the following statement after the breach:
“Regrettably, this evening, I’ve had to inform the Information Commissioner’s Office of a significant breach that we’re responsible for. What’s happened is we’ve received a freedom of information request, that’s quite a routine inquiry, nothing untoward in that.
“We’ve responded to that request, which was seeking to understand the total numbers of officers and staff at all ranks and grade across the organisation, and in the response, unfortunately one of our colleagues has embedded the source data, which informed that request.
“So, what was within that data was the surname, initial, the rank or grade, the location and the departments for each of our current employees across the police service.”
Mr Todd went on to say:
“We believe it was uploaded about 2:30 this afternoon… It came to my attention as the senior information risk owner at about 4pm, with the cooperation of the host provider it was taken down within the hour.”
The law
The Freedom of Information Act 2000 (FOIA) gives individuals the right to ask public bodies for the information that they hold. The Police are likely to receive a significant number of FOIA requests and in respect of each request, they must collate the information and then remove any personal data before disclosing it to the person requesting the data.
Unfortunately, in this case, the personal data of 10,000 individuals was left in the FOIA response and was published online and accessible by members of the public.
Under Article 6 of the UK GDPR, data held by a data controller should not be provided to third parties unless one of the six lawful bases for processing the data is present. The PSNI did not have a lawful basis for processing the data in the way that it did (i.e. publishing the data online without consent) and therefore they are in breach of this article of the UK GDPR.
Furthermore, Article 5(f) of the UK GDPR confirms that personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This is known as the integrity and confidentiality principle. By allowing the personal data of 10,000 employees to be published, PSNI has also acted in breach of Article 5 of the UK GDPR.
John Edwards, the Information Commissioner, has said the following in relation to the breach:
“People have the right to expect that their personal information is kept safe and not disclosed when it shouldn’t be. This incident raises serious concerns as it shows how even the smallest of human errors can have major consequences.
“We recognise the potential impact on the people and families affected by this breach, and we expect appropriate action to be taken by the Police Service of Northern Ireland as a matter of urgency.
“The incident demonstrates just how important it is to have robust measures in place to protect personal information, especially in a sensitive environment. The ICO works to support organisations to get this right so people can feel confident that their information is secure, and harms can be prevented.
“Following the report received from the PSNI, we are investigating the matter. Whilst this is a matter of serious concern, we do not yet know the extent to which the personal information was accessed during the time it was exposed. We are working with the PSNI to establish the level of risk and mitigations.”
How can Nelsons help
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice concerning the subject discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us