PSNI breach highlights the need for better handling of FoI requests, says Gemserv's privacy chief

The Police Service of Northern Ireland suffered a significant data breach that compromised the sensitive personal information of police officers and civilian personnel employed by the agency.

The breach was officially confirmed by PSNI on August 8 when a spreadsheet containing the personal data of police officers was released accidentally along with a Freedom of Information (FoI) request. This raised serious concerns about the safety and security of those whose personal data was compromised during the incident and their families.

The leaked data included current employees’ surnames and initials, ranks, departments, and locations. This sensitive information encompassed even the most delicate areas of the police service, including surveillance and intelligence.

The released data also included information about individuals currently on career breaks, potentially putting them at risk. The information was inadvertently published on the FoI website "What Do They Know" around 2:30 pm BST on August 8, following a request from a public member seeking details about the distribution of officers across different ranks and staff grades.

Several serving and retired members of the Police Service of Northern Ireland (PSNI) expressed their concerns following the data leak.

“I can’t trust anyone here. We were looking over our shoulder, but now even more so. This has done half the job for the people who want to target officers,” one of the officers told the BBC following the leak.

Another officer, who chose to remain anonymous, said, “Since joining the service I have moved house and spent a considerable amount of money making sure it is secure and to give me and my loved one’s peace of mind.

“I have chosen to do this job and over time have become accustomed to the risks, but what this breach has done is highlight the fear and concern that my family have about me doing this job.”

The accidental exposure took the form of a large Excel spreadsheet containing a staggering 10,799 lines of confidential data. The spreadsheet remained accessible for approximately two and a half hours before being removed from the website at the request of PSNI. While the document was taken down rather quickly and a mistake of this sort can be made easily, the data was accessed several times till it was taken down.

In a statement shared with Teiss, Camilla Winlo, head of data privacy at Gemserv, said that according to the Information Commisioner’s Office (ICO), in the 2 hours and 21 minutes that the spreadsheet was available online, it was accessed 3,872 times. In fact, in 2019 a somewhat similar breach took place, where excess personal data was published by the Cabinet Office along with the New Year’s Honours list.

“In my opinion, requests for information under the Freedom of Information Act and data protection legislation should always be treated as potential personal data breaches and handled very carefully. They are designed to result in the provision of information that wasn’t previously accessible outside the organisation,” Winlo explained.

Winlo added that it’s important that organisations handling these requests must carry out a risk assessment and consider what kinds of technical and organisational safeguards need to be put in place before the response is provided.

“In a case like this, where the personal data related to police officers and there is a known threat to those individuals, sensible controls could have included using business information systems that can create the summary statistics without allowing the underlying data to be extracted from the database, and checking that only summary information was included in the file for publication on the website,” she added.