On 26 September 2024, the Information Commissioner’s Office (ICO) issued the Chief Constable of Northern Ireland with a penalty notice for failing to meet its obligations under UK GDPR following a data breach arising from a Freedom of Information Act (FOIA) response.
Whilst FOIAs can only be made to public authorities, many of the lessons learned from ICO penalty notices and reprimands are essential learning points for all businesses. In this case, the level of the penalty was reduced because of the financial position of the Police Service of Northern Ireland but this would not be applicable to private organisations.
Why was the Northern Ireland Chief Commissioner issued with the penalty notice?
Because they infringed the following Articles of the UK GDPR:
-
·5(1)(f) – processing data in a manner that ensures appropriate security of the personal data
- 32(1) – processing data securely, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing; and
- 32(2) – assessing the appropriate level of security, taking into account the risks of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data transmitted, stored or otherwise processed
The infringements relate to the processing of the personal data of Police Service of Northern Ireland (PSNI) officers and staff. Their data was downloaded from the PSNI human resources management system and analysed in Microsoft Excel by PSNI staff to prepare information to be disclosed in response to FOIA requests. The data was downloaded from a file called “Combined 3C & Perlist” which included the surnames and first name initials, job role, rank/grade, department, location or post, contract type, gender and PSNI service/staff number of all officers and staff who are in post, suspended or on a career break at the time of the download. The data breach has exposed the personal data of its entire workforce (9,483 PSNI officers and staff), leaving many fearing for their safety.
How was the data breach discovered?
On 3 August 2023, PSNI received two FOIA requests from the same person via WhatDoTheyKnow – a website that people can use to make subject access requests. The first asked for the names of officers at each rank and the number of staff at each grade and the second asked for a distinction between how many are current/temporary/acting.
The downloaded data file with the raw data was analysed and multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file. The original worksheet however, containing the raw data with the personal details not meant for disclosure as part of the FOIA response, remained unnoticed and this was also not picked up despite quality assurance. The Excel file was subsequently uploaded as part of the FOIA response on 8 August 2023.
The 8 August Incident involved the unauthorised disclosure of the personal data of all PSNI police officers and staff. On 10 August 2023, the PSNI described the 8 August Incident as an “unprecedented and industrial scale data breach”. On 14 August 2023, the PSNI made the following statement: “We are now confident that the workforce data set is in the hands of Dissident Republicans. It is now a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff.”
What is the ICO and what does it do?
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:
- Issuing notices that require you to provide certain information
- Issuing enforcement notices that require you to take, or refrain from taking, particular steps or action
- Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million
Can you challenge a monetary penalty by the ICO?
Yes. If the ICO intends to issue a monetary penalty it will send a notice of intent which you can challenge by sending written representations within a strict timeframe. Time is of the essence when you receive a notice of intent so it is crucial that you seek legal advice without delay.
Last year we acted on behalf of a client who was issued with a notice of intent for over £180,000 as a result of a data breach. We sent written representations which were successful – resulting in the investigation being dropped and the fine waived in its entirety.
What’s the implication of this case on your business?
Increasingly, citizens are using the Freedom of Information Act requests to obtain information on all aspects of government. Common mistakes with responding to FOIA requests and subject access requests include:
- Incorrectly identifying a request
- Failing to meet the deadline for responses and/or misusing the extension period
- Incorrectly identifying disclosable information
- Inconsistent or ineffective quality checking
- Misunderstanding the mandatory requirements for FOIA denials
- Using the exemptions wrongly
- Poor policies and procedures in place to deal with the handling of requests and appeals
Whilst the ICO considered the current financial position at the PSNI with this breach, not wishing to divert public money from where it is needed, the ICO used its discretion to apply the public sector approach to this case when considering the level of the penalty. Had this not been applied, the fine would have been £5.6 million.
What are the key takeaways and how can Tozers help?
Our expert data protection team helps clients by debunking common data protection myths, demystifying the complicated legal framework into words you can understand and working with you to demonstrate compliance.
We can assist by:
- Drafting bespoke data protection policies
- Discussing data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems
- Providing training to staff
- If the worst happens, provide written representations to the ICO to dispute any penalty notice
Get in touch today
Lawyers are essential in guiding businesses through the intricate legal framework of data protection and the implementation of systems handling personal data. For expert advice, connect with one of our legal professionals today for a free, no-obligation consultation.