ICO (UK) - Police Service of Northern Ireland
From GDPRhub
| ICO - Police Service of Northern Ireland | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 32 UK GDPR Article 5(1)(f) UK GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 08.08.2024 |
| Decided: | 26.09.2024 |
| Published: | 03.10.2024 |
| Fine: | 75,000 GBP |
| Parties: | Police Service of Northern Ireland (PSNI) |
| National Case Number/Name: | Police Service of Northern Ireland |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | ao |
A DPA issued the Chief Constable of the Police Service of Northern Ireland with a £75,000 fine concerning the upload of a database including personal data on 9,483 police officers and staff to a public website.
English Summary
Facts
The controller in this case the Police Service of Northern Ireland (PSNI) managed an extensive database containing personal data on police officers and staff of the PSNI. The workforce data included (for all officers and staff who were in post, suspended or on a career break): surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number.
The PSNI regularly responds to freedom of information requests and draws from this database in order to fulfil these requests. Processing of personal data of PSNI officers and staff took place whenever workforce data downloaded from the PSNI human resources management system was analysed in Excel to prepare information to be disclosed in response to freedom of information requests.
On 8 August 2024, the unauthorised disclosure of the personal data of all PSNI police officers and staff, occurred when a spreadsheet released in response to a freedom of information request was published on the website called “whatdotheyknow.com”. The excel database consisted of several sheets and one contained an unmarked tab used to generate the personal data on PSNI staff. This tab was not deleted before uploading the excel sheet to the website.
Holding
The ICO determined that between 25 May 2018 (the date of commencement of the DPA and application of the GDPR) and 14 June 2024 the PSNI infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR. The ICO explains that the breach could have materialised at any point during this lengthy period. The processing of the personal data was not carried out in a manner that ensured appropriate security of the data through using appropriate technical and organizational measures such as training for administrative staff since 2018.
The ICO states that the PSNI ought to have known that spreadsheet files are prone to hidden data (and therefore human error) and that the training provided to employees to prevent this, was insufficient.
The ICO initially set the penalty at £5,600,000 but revised this number as the controller is a public sector enforcement body. The ICO issued a penalty notice by the ICO to the Chief Constable of the Police Service to pay the Commissioner £750,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FOR PUBLIC RELEASE
PENALTY NOTICE
POLICESERVICE OFN ORTHERN IRELAND
26 September 2024FOR PUBLIC RELEASE
Table of Contents
I. INTRODUCTION AND SUMMARY...................................................4
II. RELEVANT LEGAL FRAMEWORK....................................................8
III. BACKGROUND TO THE INFRINGEMENTS....................................9
A. The personal data breach reported by the PSNI ..................................9
B. The PSNI’s relevant procedures, policies and guidance....................... 20
IV. THE COMMISSIONER’S FINDINGS OF INFRINGEMENT.............27
A. Controllership and jurisdiction ........................................................ 27
B. Nature of the personal data and context of the Relevant Processing .... 28
C. The infringements ......................................................................... 32
V. DECISION TO IMPOSE A PENALTY..............................................43
A. Legal framework – penalties........................................................... 43
B. The Commissioner’s decision on whether to impose a penalty............. 44
Seriousness of the infringements: Article 83(2)(a) the nature, gravity
and duration of the infringements ................................................... 45
Seriousness of the infringements: Article 83(2)(b) the intentional or
negligent character of the infringements .......................................... 53
Seriousness of the infringements: Article 83(2)(g) categories of personal
data affected ................................................................................ 58
Conclusion on seriousness of infringements...................................... 59
Relevant aggravating or mitigating factors: Article 83(2)(c) any action
taken by the controller or processor to mitigate the damage suffered by
the data subjects .......................................................................... 60
Relevant aggravating or mitigating factors: Article 83(2)(d) the degree of
responsibility of the controller or processor ...................................... 62
Relevant aggravating or mitigating factors: Article 83(2)(e) any relevant
previous infringements by the controller or processor ........................ 63
Relevant aggravating or mitigating factors: Article 83(2)(f) the degree of
cooperation with the Commissioner ................................................. 63
Relevant aggravating or mitigating factors: Article 83(2)(h) the manner
in which the infringements became known to the Commissioner ......... 64
Relevant aggravating or mitigating factors: Article 83(2)(i) measures
previously ordered against the controller or processor ....................... 64
Relevant aggravating or mitigating factors: Article 83(2)(j) adherence to
approved codes of conduct or certification mechanisms...................... 65
Relevant aggravating or mitigating factors: Article 83(2)(k) any other
applicable aggravating or mitigating factors...................................... 65
2FOR PUBLIC RELEASE
Conclusion on relevant aggravating and mitigating factors ................. 65
Effectiveness, proportionality and dissuasiveness .............................. 66
C. Conclusion on decision on whether to impose a penalty ..................... 66
VI. CALCULATION OF PENALTY .....................................................67
A. Step 1: Assessment of the seriousness of the infringement................ 68
B. Step 2: Accounting for turnover...................................................... 69
C. Step 3: Calculation of the starting point........................................... 71
D. Step 4: Adjustment to take into account any aggravating or mitigating
factors............................................................................................... 71
E. Step 5: Adjustment to ensure the fine is effective, proportionate and
dissuasive.......................................................................................... 72
F. The Commissioner’s revised approach to public sector enforcement..... 72
G. Conclusion - penalty ..................................................................... 73
H. Financial hardship......................................................................... 73
VII. PAYMENT OF THE PENALTY .....................................................75
VIII. RIGHTS OF APPEAL .................................................................75
3FOR PUBLIC RELEASE
DATA PROTECTION ACT 2018
ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER
PENALTY NOTICE
To: The Chief Constable of the Police Service of Northern Ireland
Of: PSNI Headquarters
65 Knock Road
Belfast
BT5 6LE
I. INTRODUCTION AND SUMMARY
1. Pursuant to section 155(1) of the Data Protection Act 2018 (“DPA”), the
Information Commissioner (the “Commissioner”), by this written notice
(“Penalty Notice”), requires the Chief Constable of the Police Service
of Northern Ireland (the “PSNI”) to pay the Commissioner £750,000.
2. This Penalty Notice is given in respect of infringements of the UK General
1
Data Protection Regulation (“UK GDPR”). This Penalty Notice contains
the reasons why the Commissioner has decided to impose a penalty,
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, as it forms part of the law of
England and Wales, Scotland and Northern Ireland by virtue of section 3 of the
European Union (Withdrawal) Act 2018.
For the period 25 May 2018 to 31 December 2020, references in this Penalty Notice
to the UK GDPR should be read as references to the GDPR (Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on
the free movement of such data) as it applied in the UK during that period.
4FOR PUBLIC RELEASE
including the circumstances of the infringements and the nature of the
personal data involved.
3. In accordance with paragraph 2 of Schedule 16 to the DPA, the
Commissioner gave a notice of intent to the PSNI on 20 May 2024,
setting out the reasons why the Commissioner proposed to give the PSNI
a penalty notice. In that notice of intent, the Commissioner indicated
that the amount of the penalty he proposed to impose was £750,000.
4. On 14 June 2024, the PSNI made written representations about the
Commissioner’s intention to give a penalty notice. On 5 July 2024 the
Commissioner sought clarification on the written representations, which
the PSNI provided on 12 July 2024. This Penalty Notice takes into
account the written representations from the PSNI and, where
appropriate, makes specific reference to them.
5. The Commissioner finds that between 25 May 2018 and 14 June 2024 3
the PSNI infringed Articles 5(1)(f), 32(1) and (2) UK GDPR for the
reasons set out in this Penalty Notice. In summary:
a) The infringements relate to the processing of personal data of
PSNI officers and staff that took place whenever workforce data 4
downloaded from the PSNI human resources management
system was analysed in Excel by PSNI staff to prepare
information to be disclosed in response to freedom of information
requests (the “Relevant Processing”).
2The date of commencement of the DPA and application of the GDPR.
3The date on which the Commissioner finds the PSNI implemented appropriate
security measures (see paragraphs 90 to 93 below).
4
Specifically, the data file called “Combined 3C & Perlist”, which includes (for all
officers and staff who are in post, suspended or on a career break at the time of
download) the following categories of personal data: surnames and first name
initials, job role, rank/grade, department, location of post, contract type, gender
and PSNI service/staff number.
5FOR PUBLIC RELEASE
b) The infringements of Article 5(1)(f) and Article 32 UK GDPR
occurred because the Relevant Processing was not carried out in
5
a manner that ensured appropriate security of the personal data
of PSNI officers and staff, using appropriate technical and
organisational measures as required by Article 5(1)(f) and Article
32 UK GDPR.
6. As a consequence of the PSNI not having appropriate security measures
in place as required by Article 5(1)(f) and Article 32 UK GDPR, the
personal data of 9,483 police officers and staff was disclosed to a public-
facing website on 8 August 2023 (the “8 August Incident”).
7. The 8 August Incident involved the unauthorised disclosure 6 of the
personal data of all PSNI police officers and staff, when a spreadsheet
released in response to a freedom of information (“FOI”) request was
published on the website https://www.whatdotheyknow.com/.
8. On 10 August 2023, the PSNI described the 8 August Incident as an
7
“unprecedented and industrial scale data breach”. On 14 August 2023,
the PSNI made the following statement: “We are now confident that the
workforce data set is in the hands of Dissident Republicans. It is now a
planning assumption that they will use this list to generate fear and
uncertainty as well as intimidating or targeting officers and staff.”
9. On 22 August 2023, the PSNI and the Northern Ireland Policing Board
commissioned an independent review into the circumstances
surrounding the 8 August Incident. The final report of that independent
5Specifically, protection against unauthorised disclosure.
6Article 4(12) UK GDPR defines a personal data breach as a breach of security leading
to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
7r access to, personal data transmitted, stored or otherwise processed.
Statement from the Chief Constable on the data breach investigation | PSNI, 10
August 2023 (accessed 26 September 2024).
8Update from the Chief Constable on the data breach investigation | PSNI, 14
August 2023 (accessed 26 September 2024).
6FOR PUBLIC RELEASE
review described the 8 August Incident as “the most significant data
breach that has ever occurred in the history of UK policing, not only
because of the nature and volume of compromised data, but because of
the political history and context that sets the backdrop of contemporary
policing in Northern Ireland and therefore the actual, or perceived,
threats towards officers, staff, and communities.”9
10. The Commissioner received complaints from data subjects (PSNI officers
and staff) describing the damage they suffered as a consequence of the
8 August Incident. The damage and distress described in the complaints
is often severe and includes concerns about personal safety and the
safety of family members, changes required to home security measures
and the need to relocate.
11. In deciding to give this Penalty Notice, the Commissioner has had regard
to the matters listed in Articles 83(1) and (2) UK GDPR. The
Commissioner considers the imposition of a penalty is an effective,
proportionate and dissuasive measure. The Commissioner has had
regard to the revised approach to public sector enforcement 10 and is
satisfied that this case is sufficiently egregious to warrant the imposition
of a penalty.
12. Having had regard to the matters listed in Articles 83(1) and (2) UK
11
GDPR, and in accordance with his Data Protection Fining Guidance, the
Commissioner determined the amount of the penalty as £5,600,000. The
Commissioner has however had regard to the revised approach to public
sector enforcement and has reduced the penalty amount to £750,000.
9PSNI Independent review final report, 11 December 2023, p. 2-3.
10
Open letter from UK Information Commissioner John Edwards to public
authorities, 30 June 2022. The revised approach (which was trialled for a two-year
period ending in June 2024) is currently under review. The revised approach
continues to be applied pending the outcome of that review: ICO statement on its
public sector approach trial | ICO.
11Data Protection Fining Guidance | ICO, 18 March 2024.
7FOR PUBLIC RELEASE
II. RELEVANT LEGAL FRAMEWORK
13. Section 155 DPA provides that, if the Commissioner is satisfied that a
person has failed, or is failing, as described in section 149(2) DPA, the
Commissioner may, by written notice, require the person to pay to the
Commissioner an amount in sterling specified in the notice.
14. The types of failure described in section 149(2) DPA include, at section
149(2)(a), “where a controller or processor has failed, or is failing, to
comply with … a provision of Chapter II of the UK GDPR … (principles of
processing)” and at section 149(2)(c), “where a controller or processor
has failed, or is failing, to comply with … a provision of Articles 25 to 39
of the UK GDPR … (obligations of controllers and processors).”
15. Chapter II of the UK GDPR sets out the principles relating to the
processing of personal data that controllers must comply with. Article
5(1) UK GDPR lists these principles and at point (f) includes the
requirement that “personal data shall be … processed in a manner that
ensures appropriate security of the personal data, including protection
against unauthorised … processing … using appropriate technical or
organisational measures”. This is referred to in the UK GDPR as the
“integrity and confidentiality” principle.
16. Article 32 UK GDPR (security of processing) materially provides:
“(1) Taking into account the state of the art, the costs of implementation
and the nature, scope, context and purposes of processing as well as the
risk of varying likelihood and severity for the rights and freedoms of
natural persons, the controller and the processor shall implement
appropriate technical and organisational measures to ensure a level of
security appropriate to the risk…
8 FOR PUBLIC RELEASE
(2) In assessing the appropriate level of security account shall be taken
in particular of the risks that are presented by processing, in particular
from … unauthorised disclosure of … personal data transmitted, stored
or otherwise processed.”
17. The legal framework for penalties is set out at Section V(A) below.
III. BACKGROUND TO THE INFRINGEMENTS
18. This section summarises the relevant background to the findings of
infringement. It does not seek to provide an exhaustive account of all
the details of the events that have led to the issue of this Penalty Notice.
A. The personal data breach reported by the PSNI
19. The PSNI is the police service responsible for law enforcement within
Northern Ireland. The PSNI is “the only routinely armed service in the
United Kingdom with the unique additional challenge of policing in the
context of a ‘substantial’ terrorist threat”.
20. On 8 August 2023 at 17:10, the PSNI contacted the Commissioner’s
office (the “ICO”) by phone to make the ICO aware of a personal data
breach. At 20:20 on the same day, the PSNI submitted an online form
to the Commissioner, formally reporting the personal data breach which
13
had taken place at 14:31 that day. The PSNI reported that at
approximately 16:10, the PSNI’s Operational Support Department
12A History of Policing in Ireland | PSNI (accessed 26 September 2024). At the time
of the 8 August Incident, the national security threat level was “severe” (a level
higher than “substantial”). Further information about the context in which the PSNI
operates has been set out at Section IV(B) below.
13
PSNI Initial breach report, 08 August 2023, p. 1.
9FOR PUBLIC RELEASE
became aware that information which had been used to generate a
response to an FOI request had been “provided by PSNI’s HR department
in an unmarked tab on the Excel spreadsheet released as part of the FOI
response. Whilst the FOI response had high level information being
released in full under the FOIA, the unmarked tab used to generate the
information was not deleted from the spreadsheet. It contained the
names (surname and initial), ranks, contract types, cost codes regarding
post funding for all PSNI officers and staff. The incident is now being
investigated by PSNI under a Gold command structure”.
21. The timeline of events leading up to the 8 August Incident was as
follows:4
3 August 2023
a) On 3 August 2023 the PSNI received an FOI request via the
WhatDoTheyKnow website asking for “the number of officers at
each rank and number of staff at each grade in tables as of
01/08/2023”.
b) Six minutes later, the PSNI received another request (from the
same person) via the WhatDoTheyKnow website: “Could you
please provide the number of officers and staff at each rank or
grade distinguishing between how many are
substantive/temporary/acting as of 01/08/2023. Could you
please provide this information in the form of tables for officers
and tables for staff.”
14
The PSNI and the Northern Ireland Policing Board jointly commissioned an
independent review into the 8 August Incident. The independent review was led by
Pete O'Doherty, Temporary Commissioner for the City of London Police and National
Police Chief’s Council Lead for Information Assurance and Cyber Security. The
independent review’s final report (titled “Protecting From Within”) was published on
11 December 2023. The timeline of the 8 August Incident is set out in that final
report at p. 15.
10FOR PUBLIC RELEASE
c) The Corporate Information Branch (“CIB”) is the department
within the PSNI responsible for handling FOI requests received
by the PSNI. A member of staff in the CIB sent an
acknowledgement to the requester. The acknowledgement
explained that the requester’s “…requests on this subject
[Officers and Staff by Rank and Grade] have been aggregated…”.
Effectively, the PSNI would respond to the second request.
4 August 2023
d) The (second) FOI request was assigned to an FOI Decision Maker
within CIB. FOI Decision Makers are the staff within CIB with day-
to-day responsibility for handling FOI requests. They co-ordinate
the identification and preparation of requested information and
make decisions regarding the application of FOI exemptions. 15
For each FOI request, FOI Decision Makers are required to
(contemporaneously) complete an FOI Audit Log. The FOI Audit
Log is a checklist which sets out the various stages of handling
an FOI request and the checks required at each stage.
e) The assigned FOI Decision Maker identified Human Resources
(specifically, the Workforce Planning Team) as the business area
within the PSNI which held information relevant to the FOI
request. The FOI Decision Maker asked the Workforce Planning
Team to provide that information by sending the Workforce
15The PSNI’s FOI Service Instruction (updated October 2019) describes their role as
follows: “The Decision-Maker will be the first port of call for FOI enquiries. This
involves obtaining all relevant information and compiling responses to requests and
appeals, through liaising with business areas.” (FOI Service Instruction, 2 October
2019, p. 16).
11FOR PUBLIC RELEASE
Planning Team the wording of the FOI request along with a case
16
tracker form.
7 August 2023
f) A member of the Workforce Planning Team prepared the
information requested using workforce data. Specifically, they
used a file of data downloaded from the PSNI’s human resources
management system (referred to internally as “SAP”). This data
17
file, referred to as “Combined 3C & Perlist”, was an Excel file
(workbook) containing a single worksheet titled “SAP
DOWNLOAD”. The workforce data included (for all officers and
staff who were in post, suspended or on a career break at the
time of download) the following categories of personal data:
surnames and first name initials,job role, rank/grade,
department, location of post, contract type, gender and PSNI
service/staff number. The workforce data was analysed to
prepare information relevant to the FOI request. Multiple other
worksheets were created within the Excel file as part of this
analysis, with one worksheet containing the final information
prepared for FOI disclosure (the “Return worksheet”).
g) The member of the Workforce Planning Team then deleted all the
tabs visible on their screen from the Excel file, other than the tab
for the Return worksheet. 18They did not know that the three
16
Case tracker forms “seek views from the business areas on the application of any
relevant harm in releasing information into the public domain as well as the
application of any cost considerations” (PSNI Second enquiries response letter, 22
September 2023, p. 5).
17PSNI Further enquiries response letter, 22 March 2024, p. 2-3.
18
Worksheets are typically displayed as tabs at the bottom of an Excel file (a
workbook). A workbook can contain hundreds of worksheets, but the number of
tabs that are displayed at any given time is limited (how many tabs are displayed
can also be affected by the length of the horizontal scrollbar at the bottom of the
workbook). When there are more worksheets than there are visible tabs, three
12FOR PUBLIC RELEASE
horizontal dots to the left of the remaining visible tab (the tab
for the Return worksheet) indicated that the Excel file continued
to contain the “SAP DOWNLOAD” worksheet which contained the
workforce data (as originally downloaded from the human
resources management system, SAP).
8 August 2023:
h) The Excel file was then sent to the Head of Workforce Planning
for quality assurance, who opened the Excel file and inspected
the (only) visible tab (the tab for the Return worksheet). They
checked that the information contained in the Return worksheet
was accurate and relevant to the FOI request. 19 The Head of
Workforce Planning did not notice the three horizontal dots or
was unaware of what they represented. 20 Following this quality
assurance, the Excel file was sent at 10:09 to the FOI Decision
21
Maker in CIB.
i) Using Microsoft Word, the FOI Decision Maker then drafted a
letter responding to the FOI request. The FOI Decision Maker
attempted to copy the prepared information across (from the
Return worksheet of the Excel file to the Word document) but,
on this occasion, they were unable to do so. They therefore
decided to disclose the Excel file as a separate file accompanying
their response letter. The FOI Decision Maker also did not notice
the three horizontal dots or was unaware of what they
horizontal dots appear to the left of the visible tabs (and another set of three
horizontal dots can appear to the right). These dots indicate that there are more
worksheets than there are visible tabs. Deleting visible tabs does not guarantee
deletion of all worksheets in a workbook (unless a user attempts to delete all visible
tabs).
19PSNI Fourth enquiries response letter, 13 December 2023, p. 2.
20PSNI Third enquiries response letter, 15 November 2023, p. 3.
21PSNI Fourth enquiries response letter, 13 December 2023, p. 2.
13FOR PUBLIC RELEASE
represented. The FOI Decision Maker sent the response letter
and accompanying Excel file to the PSNI’s Strategic
22
Communications and Engagement Department (“SCED").
SCED had asked to have sight of the prepared information prior
to its disclosure to the FOI requester. The SCED staff who
reviewed the Excel file (and approved its disclosure ) also did
not notice the three horizontal dots or were unaware of what they
represented.
j) At 14:31 the FOI Decision Maker uploaded the response letter
and accompanying Excel file to the WhatDoTheyKnow website.
The Excel file contained the Return worksheet (as was intended)
but also contained (unknown to the FOI Decision Maker) the “SAP
DOWNLOAD” worksheet.
k) Either by clicking on the three horizontal dots to the left of the
visible tab or by using the arrows to the left of those three
horizontal dots, the “SAP DOWNLOAD” worksheet would become
visible as a tab, which, once clicked, would make the “SAP
DOWNLOAD” worksheet visible on screen.
l) The PSNI became aware of the presence of the “SAP
DOWNLOAD” worksheet in the uploaded Excel file at
approximately 16:10, when officers alerted the PSNI’s
Operational Support Department Staff Office. 24 The PSNI
contacted the WhatDoTheyKnow website administrators at 16:47
to request removal of the Excel file. The WhatDoTheyKnow
website administrators responded at 16:51 to confirm that the
22PSNI Second enquiries response letter, 22 September 2023, p. 4.
23PSNI Initial enquiries response letter, 29 August 2023, p. 4.
24
PSNI Initial enquiries response letter, 29 August 2023, p. 2.
14FOR PUBLIC RELEASE
Excel file had been hidden from external view, and at 17:27
confirmed that the Excel file had been deleted from the website.
m) The “SAP DOWNLOAD” worksheet was accessible to the public
via the WhatDoTheyKnow website for approximately 2 hours and
20 minutes (between the hours of 14:31 and 16:51).
22. At 17:10 on the same day, the PSNI’s Head of Corporate Information
informed the ICO of the incident by telephone. At 20:20, they submitted
a data breach report online. 25 The report confirmed that the PSNI
considered the 8 August Incident met the threshold for notifying a
personal data breach to the Commissioner under Article 33 UK GDPR.
23. The 8 August Incident was communicated to the data subjects whose
personal data had been disclosed (all PSNI officers and staff) on the
same day at 17:07 by email. 26
24. Upon becoming aware of the 8 August Incident the PSNI launched
”Operation Sanukite”. The Gold Commander 27of this operation was
Assistant Chief Constable Todd, who is also the PSNI’s Senior
Information Risk Owner (“SIRO”). The strategy for Operation Sanukite
was first drawn up on 10 August 2023, and set 15 objectives, the first
two of which were “1) To prioritise the protection of officers and staff. 2)
To contain the data leak as much as possible to prevent further
consequences.” In describing the 8 August Incident, the strategy noted
that “The implications for the police service in terms of reputation etc.
are immense.” 28
25PSNI Initial breach report, 8 August 2023.
26Internal meeting notes from PSNI visit on 18 October 2023, p. 1.
27A GSB (gold silver bronze) structure is a command hierarchy that is often applied
to police operations. The Gold Commander has overall strategic command of an
operation. See Command structures | College of Policing (accessed 26 September
2024)
28PSNI Gold Strategy - Op Sanukite, 10 August 2023 p. 3.
15FOR PUBLIC RELEASE
25. On 14 August 2023 the PSNI provided a public update on Operation
Sanukite, which included the following statement: “We are now confident
that the workforce data set is in the hands of Dissident Republicans. It
is now a planning assumption that they will use this list to generate fear
and uncertainty as well as intimidating or targeting officers and staff. I
won’t go into detail for operational reasons but we are working round
the clock to assess the risk and take measures to mitigate it." 29
26. The PSNI provided an in-person briefing on Operation Sanukite to the
30
Commissioner’s investigation team on 18 October 2023. The PSNI
explained that as part of Operation Sanukite, the PSNI was taking steps
to change officer and staff identification numbers and to reduce their
use. The Commissioner understands these steps were aimed at reducing
the identifiability of PSNI officers and staff. They included:
a) Ensuring service numbers and staff numbers do not appear on
payslips. Service numbers are identification numbers which are
not public-facing, and which are issued to all officers. They are
equivalent to “warrant numbers” or “police numbers”. Staff
numbers are identification numbers issued to police staff. Both
service numbers and staff numbers were included in the
workforce data that was disclosed as part of the 8 August
Incident.
b) Seeking legislative changes so that officers could be identified on
search records, warrants and other legal documents other than
31
by means of their service numbers.
29
Update from the Chief Constable on the data breach investigation | PSNI, 14
August 2023 (accessed 26 September 2024).
30Internal meeting notes from PSNI visit on 18 October 2023.
31PSNI Op Sanukite Update, 18 October 2023 and Internal meeting notes from
PSNI visit on 18 October 2023.
16FOR PUBLIC RELEASE
c) Changing the shoulder numbers of all officers. A shoulder
number is an identification number (different to a service
number) worn on epaulettes by uniformed officers at certain
ranks. They were not included in the workforce data which was
disclosed as part of the 8 August Incident.
27. Other steps the PSNI has taken to mitigate the impact of the 8 August
Incident on the affected data subjects include :2
a) Setting up an Emergency Threat Management Group (“ETMG”).
PSNI staff and officers were able to refer themselves to the ETMG
to raise their concerns at a one-to-one meeting with a senior
manager. Appropriate risk mitigations (such as financial support
33 34
for security enhancements to homes or relocation ) would be
discussed at these meetings. Due to the high volume of referrals,
the ETMG first categorised referrals using a RAG rating. Those
referrals which the ETMG categorised as “red” were prioritised.
The factors taken into account in this assessment included: the
area where the individual lived and their relevant community
background; whether the individual had an uncommon name;
whether the individual had received previous threats; whether
the individual had a personal protection weapon; whether the
individual worked in a high-risk area such as source handling or
terrorism investigations; and any other specific factors raised in
the referral. The ETMG was set up to operate seven days a week,
7am to 7pm, with out of hours availability.
b) Senior officers visiting and engaging with their officers and staff
to offer support and reassurance.
32PSNI Initial enquiries response letter, 29 August 2023, p. 11.
33PSNI Op Sanukite Update, 18 October 2023, p. 1.
34Internal meeting notes from PSNI visit on 18 October 2023, p. 2.
17FOR PUBLIC RELEASE
c) Regularly communicating updates relating to the 8 August
Incident to officers and staff.
d) Enabling officers and staff to access a copy of their personal data
that had been disclosed as part of the 8 August Incident. 35
e) Providing additional guidance to line managers around the range
of welfare and wellbeing support available to officers and staff,
as well as guidance on holding crisis management briefings with
teams.
f) Setting up FAQ pages on the PSNI intranet to assist officers and
staff, such as by providing guidance on how to remove entries
from the open electoral register and on how to remove personal
information from the Companies House register. The PSNI has
agreed to reimburse officers and staff for the costs of removing
36
information from the Companies House register.
g) Offering financial support to officers and staff who have been
directly linked to a terrorist investigation to support security
37
enhancements to their home.
28. Policies and guidance (relevant to the security of the Relevant
Processing) which the PSNI introduced following the 8 August Incident
are described at paragraphs 45 to 47 below.
35PSNI Initial enquiries response letter, 29 August 2023, p. 4.
36Internal meeting notes from PSNI visit on 18 October 2023, p. 4.
37PSNI Op Sanukite Update, 18 October 2023, p. 1.
18FOR PUBLIC RELEASE
29. On 4 September 2023, the Secretary of State for Northern Ireland made
a statement on the 8 August Incident in the House of Commons. 38The
Secretary of State noted that “This data breach is deeply concerning and
significant. Recent events in Northern Ireland, including the terrible
attack on Detective Chief Inspector John Caldwell, show there are still a
small minority in Northern Ireland who wish to cause harm to PSNI
Officers and staff in Northern Ireland. ... there is significant concern
about the consequences of this data breach. Many PSNI officers and staff
have raised concerns about themselves and their family … In response
to these concerns, the PSNI and wider security partners are taking
appropriate action and are working around the clock to investigate the
incident, provide reassurance and mitigate any risk to the safety and
security of officers and staff. As of 30 August 3,954 self referrals have
been made to the PSNI’s Emergency Threat Management Group. This is
part of the welfare and support services which have been made available
to PSNI officers.”
30. The UK Parliament’s Northern Ireland Affairs Committee launched a
probe into the 8 August Incident, 39taking oral evidence in September
and December 2023. 40 Evidence was taken from the PSNI, bodies
representing officers and staff, and the Northern Ireland Policing Board
41
(“NIPB”).
31. The PSNI and the NIPB jointly commissioned an independent review into
the 8 August Incident. The independent review was led by Pete
O'Doherty, Temporary Commissioner for the City of London Police and
38Secretary of State's speech - PSNI data breach - GOV.UK (www.gov.uk), 4
September 2023 (accessed 26 September 2024).
39
40Other personal data breaches were also within the scope of the probe.
PSNI data breaches - Committees - UK Parliament (accessed 26 September
2024).
41The NIPB is an independent public body with a range of statutory functions,
including oversight of the PSNI.
19FOR PUBLIC RELEASE
National Police Chief’s Council (“NPCC”) Lead for Information Assurance
and Cyber Security. The independent review’s final report (titled
“Protecting from Within”) was published on 11 December 2023. The
report referred to the 8 August Incident as “the most significant data
breach that has ever occurred in the history of UK policing, not only
because of the nature and volume of compromised data, but because of
the political history and context that sets the backdrop of contemporary
policing in Northern Ireland and therefore the actual, or perceived,
threats towards officers, staff, and communities.”
B. The PSNI’s relevant procedures, policies and guidance
Organisational measures in place prior to the 8 August Incident
32. During his investigation, the Commissioner asked for information about
the PSNI’s procedure for handling FOI requests. The PSNI initially
responded by referring to the FOI Service Instruction.42
33. The PSNI’s FOI Service Instruction purports to be a document which
“clearly defines the responsibilities placed on the Police Service of
Northern Ireland to ensure compliance with the Freedom of Information
43
Act 2000 and the Environmental Regulations 2004”. It was first issued
on 17 May 2018. It was updated in October 2019 and again in July
44
2023.
34. During the investigation, the PSNI explained that the FOI Service
Instruction contained only a high-level description of how FOI requests
42PSNI Initial enquiries response letter, 29 August 2023, p. 4.
43PSNI FOI Service Instruction, 2 October 2019, p. 1.
44PSNI Fourth enquiries response letter, 13 December 2023, p. 4.
20FOR PUBLIC RELEASE
were handled; 45the PSNI went on to provide more detailed explanations
of the procedure.
35. On the basis of those explanations, the Commissioner finds that in
46
practice, the procedure (as it related to the Relevant Processing )
consisted of the following key steps:
a) Each FOI request is assigned to an FOI Decision Maker from CIB,
whose responsibilities include completing an FOI Audit Log (a
checklist which sets out the stages of handling an FOI request
and the checks required at each stage).
b) The assigned FOI Decision Maker identifies the relevant team (in
this case, the Workforce Planning Team) as the business area
within the PSNI which holds information relevant to the FOI
request. The FOI Decision Maker asks the Workforce Planning
Team to provide that information. 47
c) A member of the Workforce Planning Team uses workforce data
to prepare the information requested. Specifically, they use a file
of data downloaded from the PSNI’s human resources
management system (SAP). This data file, referred to as
48
“Combined 3C & Perlist”, is an Excel file (workbook) containing
a single worksheet titled “SAP DOWNLOAD”. The workforce data
45
PSNI Second enquiries response letter, 22 September 2023, p. 5. The July 2023
version was not, however, in effect at the time of the 8 August Incident.
46That is, the procedure for handling those FOI requests which required analysis of
workforce data downloaded from SAP.
47Specifically, the FOI Decision Maker sends the Workforce Planning Team the
wording of the FOI request along with a case tracker form. Case tracker forms “seek
views from the business areas on the application of any relevant harm in releasing
information into the public domain as well as the application of any cost
considerations” (PSNI Second enquiries response letter, 22 September 2023, p. 5).
48PSNI Further enquiries response letter, 22 March 2024, p. 2-3.
21FOR PUBLIC RELEASE
within the Excel file is analysed to prepare information relevant
to the FOI request. 49 Multiple other worksheets are created
within the Excel file as part of this analysis, with one worksheet
(a Return worksheet) containing the information prepared for
FOI disclosure. This prepared information usually takes the form
of a table (and can sometimes be an Excel Pivot Table). All other
worksheets (containing the workforce data as downloaded and
any other data workings) are deleted from the Excel file, which
is then saved as a “return copy” file. The return copy Excel file
ought to contain only the Return worksheet. 50
d) The Head of Workforce Planning (as the relevant Operational
Lead) quality assures the return copy Excel file, 51which involves
checking the information prepared is accurate and relevant to
the FOI request. 52 It is then sent to the FOI Decision Maker in
CIB.
e) The FOI Decision Maker 53 reviews the return copy Excel file and
drafts an FOI response letter. The return copy Excel file may be
disclosed to the FOI requester as a separate attachment to the
FOI response letter; alternatively, the prepared information
contained in the return copy Excel file may be incorporated into
the FOI response letter itself. The FOI Decision Maker applies
redactions as appropriate.
49The analysis of this personal data in Excel is the Relevant Processing with respect
to which this Penalty Notice is given.
50PSNI Fourth enquiries response letter, 13 December 2023, p. 2.
51
52PSNI Third enquiries response letter, 15 November 2023, p. 4.
PSNI Fourth enquiries response letter, 13 December 2023, p. 2.
53Also referred to as “Corporate Information Decision-Makers” in the FOI Service
Instruction.
22FOR PUBLIC RELEASE
f) The FOI Decision Maker may 54 discuss the draft FOI response
letter with their line manager (a Corporate Information Team
Leader) (“Team Leader”). If a discussion takes place, the Team
Leader will assess whether quality assurance 55is required (for
instance, if the request is sensitive 56or complex ). The types of
issues which would typically be raised in these discussions would
include the statutory exemptions that might apply, any harm that
might arise in making the FOI disclosure and whether there had
been any similar FOI requests. If quality assurance is considered
necessary, the draft FOI response letter (along with any
attachment) is sent to the Team Leader. Quality assurance by
the Team Leader involves completion of the FOI Response
Quality Assurance Checklist, which includes points such as “Are
the relevant exemptions listed by number, subsection and title”
and “If prejudice based exemptions is the harm correctly
58
explained” and “Format Correct / Spellchecked”.
54
The PSNI stated (PSNI Third enquiries response letter, 15 November 2023, p. 4)
that “only FOI responses identified as requiring further QA are discussed at 1-1
meetings”. The PSNI subsequently stated (PSNI Fourth enquiries response letter, 13
December 2023, p. 3) that “while all responses should be discussed in general
terms with a manager, these discussions may not take place at a 1-1 meeting”. The
Commissioner is not convinced that the PSNI’s procedure required the FOI Decision
Maker to discuss every proposed FOI response with a line manager (whether in
general or specific terms, and whether at pre-scheduled weekly 1-1 meetings or
outside such meetings). The Commissioner notes that in the specific instance of the
8 August Incident, the FOI Decision Maker did not discuss the proposed response
with a line manager; despite this, the PSNI maintain that the FOI Decision maker
involved in the 8 August Incident “followed the current process” (PSNI Fourth
enquiries response letter, 13 December 2023, p. 3; Copy of the FOI Audit Log
completed by FOI Decision Maker, p. 3; PSNI Third enquiries response letter, 15
November 2023, p. 2).
55PSNI Second enquiries response letter, 22 September 2023, p. 5.
56PSNI Third enquiries response letter, 15 November 2023, p. 4 and PSNI Second
enquiries response letter, 22 September 2023, p. 6.
57PSNI Second enquiries response letter, 22 September 2023, p. 6.
58PSNI 2019 QA Log.
23FOR PUBLIC RELEASE
g) Following any quality assurance by the Team Leader, the FOI
decision maker discloses the FOI response letter (along with any
59
attachment) to the FOI requester. This may be done through
the WhatDoTheyKnow website.
36. This procedure was followed by PSNI staff in connection with the 8
August Incident (see the timeline at paragraph 21 above). The PSNI
informed the Commissioner that “staff members followed the current
process but this did not prevent the additional data from being attached
to the response … no misconduct proceedings against staff are being
60
initiated as a result.”
37. The Commissioner has considered whether the FOI Service Instruction,
FOI Audit Log or FOI Response Quality Assurance Checklist contained
any guidance that could have prevented incidents such as the 8 August
Incident. In particular, the Commissioner considered whether these
documents contained any guidance relating to Excel files and checks for
hidden data.
38. Prior to the 8 August Incident, the PSNI’s FOI Service Instruction did not
contain any guidance relating to the secure analysis of personal data in
Excel (in particular, the importance of ensuring personal data was – if
appropriate - removed from Excel files once analysis had been
completed). The FOI Service Instruction did not contain any guidance
relating to the format in which electronic files should be disclosed to an
FOI requester. Whilst the FOI Service Instruction referred to checks and
quality assurance, it provided no guidance as to what those checks and
59The PSNI’s Strategic Communications and Engagement Department may also
review the proposed response prior to disclosure.
60
PSNI Third enquiries response letter, 15 November 2023, p. 2.
24FOR PUBLIC RELEASE
assurance processes should entail. In particular, there was no guidance
61
to check FOI response letters and their attachments for hidden data.
39. The template FOIA Audit Log includes questions such as: “Have you
double-checked the contact details of the requester to ensure they are
accurate?” and “Has the requester expressed a format to receive the
information?”. There is however no guidance relating to the appropriate
format in which electronic files should be disclosed, and there is no
question prompting the FOI decision maker to check FOI response letters
and attachments for hidden data. The FOI Response Quality Assurance
Checklist is similarly deficient.
40. The PSNI also confirmed that, prior to the 8 August Incident, there was
no guidance or policy on the use of Excel, whether specific to the context
of handling FOI requests or more generally. 62
41. The Commissioner also investigated whether PSNI staff and officers
involved in handling FOI requests had received any training which might
have prevented incidents such as the 8 August Incident.
42. The Commissioner reviewed the mandatory FOI training for all PSNI staff
and officers (“all-staff FOI training”). Staff in the PSNI’s Workforce
Planning Team, who would carry out the Relevant Processing, would
61
Once FOI Decision Makers have made any redactions to the prepared information,
the July 2023 FOI Service Instruction states “Whilst all requests are discussed at a
weekly 1-1, where relevant, requests will be sent to a team leader or other senior
staff member if appropriate for quality assurance” (FOI Service Instruction, July
2023, p. 15). The October 2019 version on the other hand simply instructs FOI
Decision Makers to “Send [the proposed response] to team leader for quality
assurance” (FOI Service Instruction, 2 October 2019, p. 15). For the reasons given
at footnote 54 above, the Commissioner does not consider that, in practice, a
discussion with a Team Leader was a required step in the PSNI’s FOI handling
procedure.
62PSNI Initial enquiries response letter, 29 August 2023, p. 5.
25FOR PUBLIC RELEASE
receive this training. The Workforce Planning Team staff involved in the
8 August Incident had received this training. 63
43. The Commissioner also reviewed the “FOI/SAR Decision Maker” training
which is mandatory for staff in the CIB (such as FOI Decision Makers and
the Team Leader). The CIB staff involved in the 8 August Incident had
received this training. 64
44. Prior to the 8 August Incident, neither the all-staff FOI training nor the
“FOI/SAR Decision Maker” training raised awareness of the risk that FOI
response letters and their attachments might contain hidden data. 65
There was no guidance relating to checks for hidden data or the format
in which electronic files should be disclosed.
Organisational measures introduced in August/September 2023
45. Once aware of the 8 August Incident, on the day of the personal data
66
breach, the PSNI’s SIRO decided that, going forward, FOI responses
should be provided in PDF format only (Excel files were not to be
63PSNI Third enquiries response letter, 15 November 2023, p. 5.
64PSNI Third enquiries response letter, 15 November 2023, p. 5.
65The Commissioner notes that the “FOI/SAR Decision Maker” training contained
the following paragraph: “Metadata: Metadata collected in electronic documents is
also classed as being held for the purposes of FOI and if requested there is an
expectation that this will be released to the requester. This metadata may contain
the author, date, size; file paths, editing history, and formatting information of the
document. In PSNI this is not normally provided and if requested we need to be
mindful of the security of our staff (remove names) and our information.” This
paragraph only refers to scenarios where metadata is specifically requested by an
FOI requester. It does not require the metadata of electronic documents to be
checked as a matter of course (i.e. in scenarios where the FOI requester has not
specifically requested metadata). The paragraph therefore does not relate to a
check for hidden data.
66The SIRO role is at Assistant Chief Constable (ACC) rank and provides “strategic
decision making at a senior level responsible for promoting information governance
and ensuring mitigation of information risks, including those linked to personal data”
(Data Protection Service Instruction, 11 February 2019, p. 5). The SIRO was (and
continues to be) ACC Todd, who is also the Gold Commander of Operation Sanukite
(PSNI Gold Strategy - Op Sanukite, 10 August 2023, p. 8).
26FOR PUBLIC RELEASE
attached), regardless of the format in which information had been
requested. 67 This decision (the “PDF Policy”) was communicated as a
“direction” to CIB staff on 9 August 2023. 68
46. By 29 August 2023 the PSNI had taken the decision “that all external
products must be flattened by PDF unless authorised by the Gold
69
command structure in place.”
47. On 8 September 2023, the PSNI issued an “Interim Guidance on Sharing
Data Securely” (the “Interim Guidance”). 70 The Interim Guidance
applied to any instance of “sharing MS Excel data externally” (not just in
the context of FOI responses) and it advised officers and staff on how to
do so securely. In relation to FOI responses specifically, the Interim
Guidance stated “Flattened PDF/CSV files only for responses to all public
requests, FOI or otherwise.” The Interim Guidance went on to illustrate
how an Excel file can be saved as a PDF or CSV file. It was provided to
staff within the CIB.71
IV. THE COMMISSIONER’S FINDINGS OF INFRINGEMENT
A. Controllership and jurisdiction
67
PSNI Initial breach report, 08 August 2023, p. 4. As the Commissioner explains at
paragraph 88 below, this policy was contrary to the PSNI’s obligations under the
Freedom of Information Act 2000.
68 PSNI Email to the ICO responding to an additional query, 25 March 2024.
69
PSNI Initial enquiries response letter, 29 August 2023, p. 5. The Commissioner
understands this decision did not apply to FOI responses: the PDF Policy and the
Interim Guidance indicate that FOI responses were not capable of such authorisation
by the Gold command structure (i.e. FOI responses had to be flattened to PDF/CSV
format, without exception).
70 PSNI Interim security guidance on safe data sharing, 8 September 2023.
71 PSNI Further enquiries response letter, 22 March 2024, p. 4.
27FOR PUBLIC RELEASE
72
48. The PSNI was the controller in respect of the Relevant Processing. The
PSNI determined its purpose and means within the meaning of Article
4(7) UK GDPR. The PSNI’s Adult Privacy Notice confirms the PSNI is
“obliged to process” personal data of “personnel including … police
officers and police staff” pursuant to “legal obligations including
enactments”, and that it is a controller in respect of such processing. 73
49. The UK GDPR applied to the Relevant Processing by virtue of Articles
2(1) and 3(1) UK GDPR. The Relevant Processing was structured
processing of personal data, it took place in the context of the activities
of a controller established in the UK, and none of the exceptions in Article
2 UK GDPR applied.
50. Part 2 of the DPA applied to the Relevant Processing by virtue of section
4 DPA.
B. Nature of the personal data and context of the Relevant
Processing
74
51. The workforce data involved in the Relevant Processing was personal
data. It included a field for a (unique) service or staff number, which was
an identifier (enabling the PSNI to directly distinguish one officer/staff
member from another). The workforce data also contained two further
fields: a data subject’s full surname and first name initials. Collectively,
these two further fields are highly likely to have been an identifier from
the PSNI’s perspective.
72The processing of personal data of PSNI officers and staff that took place
whenever workforce data was analysed in Excel by PSNI staff to prepare information
73 response to freedom of information requests.
Adult Privacy Notice | PSNI (accessed 26 September 2024).
74Specifically, the data file downloaded from the PSNI’s human resources
management system called “Combined 3C & Perlist”. Whilst PSNI staff may have
analysed other types of human resources data in Excel to prepare FOI responses,
the Commissioner’s investigation has focused solely on “Combined 3C & Perlist”.
28FOR PUBLIC RELEASE
52. These identifiers (staff/service number; and the combination of surname
75
and initials) and the 28 other fields contained in the workforce data
which were associated with these identifiers (fields such as job role,
rank/grade, department, post location, contract type and gender)
constituted personal data: they were information relating to identified
natural persons. The workforce data did not contain personal addresses
of data subjects.
53. The workforce data downloaded and analysed to prepare a response to
an FOI request (both in connection with the 8 August Incident and
otherwise) was therefore personal data within the meaning of Article
4(1) UK GDPR and section 3(2) DPA. The 8 August Incident involved the
76
unauthorised disclosure of this personal data.
54. To understand the sensitivity of this personal data, it is important to
recognise the history and unique political and policing context within
Northern Ireland.
55. Since the foundation of Northern Ireland in 1921, the region has
experienced sectarian conflict and violence known as “the Troubles”.
Throughout much of Northern Ireland there has been a long history of
deep and seemingly irreconcilable divisions between nationalists
(predominantly Roman Catholic) and unionists (generally Protestant).
56. It is however relevant to note that that whilst the Belfast Agreement
(known as the Good Friday Agreement) was signed in 1998 and brought
an end to the majority of the violence of the Troubles, there are dissident
paramilitary groups who reject the political process and the institutions
75PSNI Anonymised copy of the spreadsheet disclosed as part of data breach
contains 32 fields, but one of these is “not used”. There is therefore a total of 31
information fields.
76
PSNI Initial breach report, 8 August 2023.
29FOR PUBLIC RELEASE
created by the Good Friday Agreement. It has been reported that these
dissident groups seek to destabilise Northern Ireland through the tactical
use of violence, targeting members of the PSNI and other security
personnel as well as seeking to cause disruption and economic
damage. 77
57. There remains a real risk to members of the PSNI 78and the shooting of
a senior police officer in February 2023 was a reminder of the threat still
faced by police officers in Northern Ireland. As a result of this shooting,
in March 2023 MI5 raised the national security threat level for Northern
Ireland from ”substantial” to ”severe”, meaning that the risk of a
(Northern Ireland-related) terrorist attack was ”highly likely”. 79
58. In response to the 8 August Incident, Assistant Chief Constable Chris
Todd recognised that the PSNI “is operating in an environment where
there is a Severe threat of attack against our officers and staff from
Northern Ireland Related Terrorism (NIRT). From the outset therefore a
key planning assumption will be that a “reasonable worst case scenario”
is that the data falls into the hands of those that would use it to cause
harm to our officers, staff and their families”.80
59. The threat from dissident republicans is particularly acute in the case of
PSNI officers/staff who are from a Catholic community background.
77Dissident republicans in Northern Ireland - what do they want? An explainer – The
78ish News, 10 September 2023 (accessed 26 September 2024)
Dissident republicans: Why Northern Ireland police are still a target - BBC News,
14 August 2023 (accessed 26 September 2024).
79Northern Ireland-related Terrorism threat level raised - GOV.UK (www.gov.uk), 28
March 2023 (accessed 26 September 2024). The threat level was reduced to
“substantial” on 6 March 2024: Statement from the Secretary of State on the
Northern Ireland Security Update - GOV.UK (www.gov.uk) (accessed 26 September
2024).
80PSNI Gold Strategy - Op Sanukite, 10 August 2023.
30FOR PUBLIC RELEASE
According to the latest PSNI workforce composition statistics, 33% of
officers and 19% of staff are “perceived Roman Catholic”. 81
60. In light of this threat, in order to protect themselves and their friends
and family, many PSNI officers and staff take steps to conceal their
82
occupation from the world at large.
61. The Commissioner notes that the extent to which PSNI officers and staff
are able to conceal their occupation will vary according to specific role.
PSNI officers in public-facing roles may only be able to conceal their
occupation to a limited extent. PSNI staff who are in back-office roles
may be more able to conceal their occupation.
62. The Commissioner also notes that some PSNI officers and staff choose
not to conceal their occupation, despite their roles permitting them to do
so.
63. Officers involved in covert roles, however, have no choice but to conceal
their occupation. The workforce data which was subject to the Relevant
Processing (and which was disclosed in the 8 August Incident) included
the personal data of officers involved in covert roles (including their last
name and first name initials). The Commissioner understands that
although the workforce data did not explicitly label a given data subject
as an officer involved in a covert role, strong inferences could be drawn
to that effect (for instance, a data subject in the Crime Department’s
83
Intelligence Branch whose unit was marked “secret” was likely to be
an officer involved in a covert role).
81Workforce Composition Statistics | PSNI, 1 September 2024 (accessed 26
82ptember 2024).
PSNI data breach: 'Family fears for my safety as a police officer' - BBC News, 9
August 2023 (accessed 26 September 2024).
83Dissident republicans claiming to possess information from PSNI data breach,
says Byrne – The Irish Times, 10 August 2023 (accessed 26 September 2024).
31FOR PUBLIC RELEASE
64. The PSNI has accepted the sensitivity of the workforce data. The PSNI
explained in the data breach report that “there is a risk of identification
of officers and staff including those in crime operational roles”. The PSNI
acknowledged the “scale of this breach and the impacts to the safety of
officers and staff”. The PSNI explained that “our criminal investigation
has confirmed the information is now in the hands of Dissident
Republican Terrorists in Northern Ireland and PSNI has made this fact
84
public”.
C. The infringements
65. The fact that an unauthorised disclosure took place on 8 August 2023
(the 8 August Incident) is not, in and of itself, sufficient to find that the
PSNI has infringed Articles 5(1)(f) and 32 UK GDPR. 85 The Commissioner
has considered whether the facts set out at paragraphs 32 to 47 above
(the PSNI’s relevant procedures, policies and guidance) constitute
infringements of the UK GDPR.
66. In order to assess the PSNI’s compliance with Articles 5(1)(f) and 32 UK
GDPR, the Commissioner must necessarily exercise his judgement, as
regulator, as to what “appropriate” security and “appropriate” technical
and organisational measures would be in the circumstances (that is,
taking into account “the state of the art, the costs of implementation and
the nature, scope, context and purposes of processing as well as the risk
of varying likelihood and severity for the rights and freedoms of natural
86
persons”).
84
85PSNI Initial enquiries response letter, 29 August 2023.
See the CJEU’s recent judgment in VB v Natsionalna agentsia za prihodite (Case
C-340/21) at paragraphs 22-39, which the Commissioner has had regard to.
86See the text of Articles 5(1)(f) and 32 UK GDPR reproduced at paragraphs 15 and
16 above.
32FOR PUBLIC RELEASE
67. For the reasons set out below, the Commissioner’s view is that the PSNI
infringed Articles 5(1)(f), 32(1) and (2) UK GDPR. The infringements
involved a failure by the PSNI to use appropriate technical and
organisational measures to ensure appropriate security of the personal
data subject to the Relevant Processing.
Appropriate security of the personal data
68. In assessing the “appropriate security of the personal data” under Article
5(1)(f) UK GDPR (and, equivalently, the “level of security appropriate to
the risk” under Article 32 UK GDPR), the Commissioner has considered
87
the risk to the rights and freedoms of PSNI officers and staff which the
Relevant Processing presented, in particular from unauthorised
disclosure. Recital 75 UK GDPR states that such risk “may result from
personal data processing which could lead to physical, material or non-
material damage”.
69. Unauthorised disclosure of the workforce data risked data subjects being
identified as PSNI officers/staff by family and friends (to whom the data
subject had not revealed their occupation). It also risked data subjects
being physically identified by dissident republicans.
70. If dissident republicans physically identified a data subject as a PSNI
officer/staff member, this carried a further risk that other individuals
would be physically identified as family members or friends of that data
subject.
71. The Commissioner recognises that the threat to PSNI officers and staff
is not from dissident republicans alone; there is a threat from organised
87As well as of those officers and staff in post at the time, the workforce data
contained the personal data of officers and staff who were suspended or on a career
break (PSNI Initial enquiries response letter, 29 August 2023, p. 4).
33FOR PUBLIC RELEASE
crime groups and also from other paramilitary groups in Northern
Ireland.
72. The Commissioner considers all three categories of damage as identified
in Recital 75 UK GDPR (physical, material and non-material) could flow
from the risks identified at paragraphs 69 to 71 above. Psychological
harm, severe injury and even death could flow from those risks.
73. Recital 75 provides specific examples of damage. Of those examples, the
Commissioner considers the following could have arisen from the risks
identified at paragraphs 69 to 71 above:
a) loss of control over personal data (that is, a data subject losing
control of information about their occupation);
b) deprivation of rights and freedoms (right to life, right to respect
for private and family life, peaceful enjoyment of property);
c) discrimination;
d) financial loss;
e) damage to reputation.
74. Paragraph 113 below sets out the types of damage which materialised
as a result of the 8 August Incident.
75. In ensuring a level of security appropriate to the risk, Article 32(1) UK
GDPR requires a controller to take into account the likelihood and
severity of the risk to the rights and freedoms of data subjects.
76. The severity of the risk is self-evident.
77. The following factors are relevant to the likelihood of the risk presented
by the Relevant Processing:
34FOR PUBLIC RELEASE
a) The PSNI regularly received FOI requests which would require a
member of the Workforce Planning Team to carry out the
Relevant Processing. The PSNI confirmed that it was “normal
practice” for the Workforce Planning Team to use workforce
data 88to “create a pivot table to display the required data”. 89
This regularity increased the likelihood that an unauthorised
disclosure would occur.
b) Electronic files often contain data which is ‘hidden’ (i.e. data
which is not immediately visible on screen, but is elsewhere
within the file - the most obvious example being an electronic
file’s metadata). It is particularly easy for spreadsheet files (such
as Excel files) to contain hidden data; they are therefore
particularly prone to human error. The fact that Excel files can
contain worksheets which are not automatically visible as tabs
has been noted at footnote 18 (page 12 above). Other examples
of how Excel files can contain hidden data include: the fact that
it is possible to purposefully hide worksheets, rows and columns;
and the fact that the underlying data used to generate a pivot
90
table can be embedded in the pivot table as hidden data.
Further examples of how spreadsheet files (and other electronic
files) can contain hidden data are set out in the ICO’s guidance,
How to disclose information safely – Removing personal data
from information requests and datasets. 91
88
Specifically, the data file called “Combined 3C & Perlist”, which includes (for all
officers and staff who are in post, suspended or on a career break at the time of
download) the following categories of personal data: surnames and first name
initials, job role, rank/grade, department, location of post, contract type, gender
and PSNI service/staff number.
89
PSNI Fourth enquiries response letter, 13 December 2023.
90This underlying data can be accessed simply by double-clicking the pivot table.
91How to disclose information safely (ico.org.uk), June 2018 (accessed via search
engine 26 September 2024).
35FOR PUBLIC RELEASE
c) The Relevant Processing involved the personal data of all (almost
10,000) PSNI officers and staff. This increased the likelihood of
risk to rights and freedoms.
d) Responses to FOI requests were usually publicly available (they
were often published on the WhatDoTheyKnow website and the
92
PSNI website’s FOI disclosure log).
e) The workforce data included information such as the data
subject’s rank/grade (which would likely be correlated with their
age) as well as their gender and their post location. This
increased the likelihood of identification (described at paragraph
69 above).
78. The following factors are relevant to the likelihood of the risk to the rights
and freedoms of particular groups of PSNI officers and staff from the
Relevant Processing:
a) The uniqueness of many Irish surnames (and the possibility of
associating some such surnames with a Catholic community
background). A data subject with such a surname would be more
likely to be identified as described at paragraph 69 above.
b) Similarly, the uniqueness (within Northern Ireland) of surnames
of police officers and staff from ethnic minority backgrounds. A
data subject with such a surname would be more likely to be
identified as described at paragraph 69 above.
92For the avoidance of doubt, the Commissioner recognises that the use of online
platforms to submit and receive responses to FOI requests can be efficient and help
promote transparency and are within the scope of the legislation. The use of online
platforms is however a relevant factor in considering the likelihood of risk in this
case.
36FOR PUBLIC RELEASE
c) As regards officers involved in covert roles:
i. The likelihood of damage flowing from identification by
family and friends was higher in the case of officers
involved in covert roles, as their occupation was more likely
to be concealed in the first place.
ii. The likelihood of physical identification by paramilitary
groups including dissident republicans was, on balance,
higher in the case of officers involved in covert roles who
engaged (in person) with paramilitaries as part of their role.
This would be the case if, for instance, an identity in the
workforce data could be (directly or indirectly) linked to an
image of that individual.
iii. The workforce data would enable paramilitaries to infer that
a given data subject was an officer involved in covert
93
roles. Paramilitary groups including dissident republicans
would likely concentrate their efforts on physically
identifying such data subjects, thereby increasing the
likelihood of such identification.
79. The factors above indicate that a high level of security was appropriate
to the risk presented by the Relevant Processing. The PSNI was required
to implement appropriate technical and organisational measures to
ensure this high level of security.
Assessment of compliance prior to the 8 August Incident
80. Under the UK GDPR, it is for the PSNI to demonstrate compliance with
Article 5(1)(f) (by virtue of Article 5(2)). It is also for the PSNI to
demonstrate compliance with Article 32(1) and (2) (by virtue of Article
24).
93
See paragraph 63 above.
37FOR PUBLIC RELEASE
81. Paragraphs 32 to 44 above detail the Commissioner’s findings of fact in
relation to the PSNI’s relevant procedures, policies and guidance in place
prior to the 8 August Incident.
82. The Commissioner finds that those procedures, policies and guidance did
not amount to an appropriate organisational measure. They did not
ensure appropriate security of the personal data which was subject to
the Relevant Processing, in that they did not appropriately protect the
94
workforce data from unauthorised disclosure as “hidden” data. The
PSNI therefore infringed Articles 5(1)(f) and 32(1) UK GDPR.
83. To explain his finding of infringement, the Commissioner considers it
useful to indicate ways in which the PSNI’s procedures, policies and
guidance might have amounted to an appropriate organisational
measure:
a) A policy whereby spreadsheet files are disclosed only when the
FOI requester expresses a preference for the information to be
provided in that format.95
b) An FOI handling procedure which includes requirements for –
i. the FOI Decision Maker to check all FOI response letters
and attachments (that are electronic files) for hidden data
– such a check being incorporated into the FOI Audit Log;
ii. the FOI Decision Maker to discuss all FOI response letters
with a Team Leader (and to make the Team Leader aware
94I.e. data which is not immediately visible on screen, but is elsewhere within an
electronic file.
95Such a policy would be consistent with the Commissioner’s advisory note to all
public authorities, issued on 28 September 2023: Information Commissioner’s Office
- Advisory note to public authorities | ICO.
38FOR PUBLIC RELEASE
of any attachments and the format in which any electronic
files are to be disclosed); and
iii. the Team Leader to perform a second check for hidden data
where information is to be disclosed as a spreadsheet file –
such a check being incorporated into the FOI Response
Quality Assurance Checklist.
c) The policy at (a) and the procedural requirements at (b) above
to be clearly recorded in appropriate documents (here, the FOI
Service Instruction, FOI Audit Log and FOI Response Quality
Assurance Checklist).
d) CIB staff to be required to confirm to line managers that they
have read and understood appropriate guidance on checking
electronic files for hidden data (such as the ICO’s guidance How
to disclose information safely – Removing personal data from
information requests and datasets, dated 24 May 2018).
e) The provision of appropriate training (at appropriate intervals) to
CIB staff which –
i. raises awareness of the policy at (a) and the procedural
requirements at (b); and
ii. ensures CIB staff are competent to perform checks for
hidden data.
84. The Commissioner notes that there may be other ways in which the
PSNI’s procedures, policies and guidance prior to the 8 August Incident
could have amounted to an appropriate organisational measure. That is,
the PSNI could have demonstrated compliance (protected the workforce
data from unauthorised disclosure as “hidden” data) in other ways. 96
96
The PSNI could also have implemented appropriate technical measures.
39FOR PUBLIC RELEASE
85. The PSNI was unable to provide evidence of any assessment of the
97
appropriate level of security in relation to the Relevant Processing.The
Commissioner therefore finds that the PSNI also infringed Article 32(2)
UK GDPR.
Assessment of compliance following introduction of August/September 2023
organisational measures
86. Paragraphs 45 to 47 above set out the Commissioner’s findings of fact
in relation to the procedures, policies and guidance introduced by the
PSNI in August/September 2023 (following the 8 August Incident).
87. The direction issued by the SIRO on 9 August 2023 98constituted a policy
requiring all FOI responses to be in PDF format (the “PDF Policy”). The
Interim Guidance issued on 8 September 2023 reinforced the PDF Policy
but allowed FOI responses to be in CSV format (as well as PDF).
88. The Commissioner acknowledges that the PDF Policy and Interim
Guidance will have improved the security of the personal data which was
subject to the Relevant Processing. The Commissioner finds however
that they did not amount to an appropriate organisational measure. This
is for two reasons:
a) If a FOI requester expresses a preference under section 11(1) of
the Freedom of Information Act 2000 for receiving the information
in a particular software format (such as an Excel file), the PSNI is
required to give effect to that preference so far as reasonably
97PSNI Further enquiries response letter, 22 March 2024, p. 2.
98
PSNI Email to the ICO responding to an additional query, 25 March 2024.
40FOR PUBLIC RELEASE
practicable.99 The PDF Policy and Interim Guidance did not align
with this legal requirement. In order to be appropriate, an
organisational measure (implemented to protect personal data
which is subject to the Relevant Processing) would need to form
part of a single, coherent FOI handling procedure which ensured
the PSNI’s compliance with the Freedom of Information Act 2000.
b) Putting the above consideration to one side, the Commissioner
considers the PDF Policy and Interim Guidance would only have
ensured appropriate security of the workforce data if they had been
properly integrated into the PSNI’s FOI handling procedure. Such
integration would have involved (at the very least) references to
the PDF Policy and Interim Guidance in the FOI Service Instruction
and the FOI Audit Log (the key corporate documents which govern,
and which are used as part of, the FOI handling procedure). Neither
the FOI Service Instruction nor the FOI Audit Log were updated in
this way. 100The Interim Guidance was a separate document that
was not specific to the handling of FOI requests and which was
“interim pending its amalgamation into current service instructions
and Information Security standards”. 101
89. The Commissioner finds, therefore, that despite the introduction of
organisational measures in August/September 2023, the PSNI continued
to infringe Article 5(1)(f) and Article 32(1) UK GDPR. It had yet to use
appropriate organisational measures to protect the workforce data from
unauthorised disclosure as hidden data.
99
Innes v the Information Commissioner and Buckinghamshire County Council
[2014] EWCA Civ 1086. See the Commissioner’s guidance on s.11 FOIA: Means of
communicating information (section 11) | ICO, last updated 11 October 2021.
100FOI Audit Log v4, November 2023.
101Interim security guidance on safe data sharing dated 8 September 2023.
41FOR PUBLIC RELEASE
Assessment of compliance as of 14 June 2024
102
90. On 20 May 2024, the Commissioner informed the PSNI that the
Commissioner intended to give an enforcement notice pursuant to
section 149 DPA (in addition to a penalty notice).
91. The proposed enforcement notice would have required the PSNI to
implement points (a) to (e) at paragraph 83 above (steps which the
Commissioner considers would have resulted in the implementation of
an appropriate organisational measure).
92. On 14 June 2024, the Commissioner received written representations
from the PSNI about his intention to give an enforcement notice. The
written representations confirmed that the PSNI had, as of 14 June 2024,
taken the steps which the proposed enforcement notice would have
required (the steps at paragraph 83 above). The written representations
attached copies of updated versions of the FOI Service Instruction, FOI
Audit Log and FOI Response Quality Assurance Checklist. A copy of the
PSNI’s “Policy on the Safe and Secure Use of Spreadsheets for Data
Sharing” was also provided.
93. Having considered the written representations and accompanying
documents, the Commissioner finds that by 14 June 2024, the PSNI had
implemented appropriate measures to ensure appropriate security of the
workforce data which was subject to the Relevant Processing, in so far
as the workforce data was protected from unauthorised disclosure as
103
“hidden” data. The ongoing infringements of Articles 5(1)(f) and 32
UK GDPR were therefore remedied by that date. 104
102
By way of a “preliminary” enforcement notice.
103I.e. data which is not immediately visible on screen, but is elsewhere within an
electronic file.
104As a result, there are no longer grounds to give the proposed enforcement
notice.
42FOR PUBLIC RELEASE
V. DECISION TO IMPOSE A PENALTY
94. For the reasons set out below, the Commissioner has decided to impose
a penalty on the PSNI in respect of the infringements of Articles 5(1)(f),
32(1) and 32(2) UK GDPR during the period 25 May 2018 to 14 June
2024.
A. Legal framework – penalties
95. When deciding whether to give a penalty notice to a person and
determining the appropriate amount of that penalty, section 155(2)(a)
DPA requires the Commissioner to have regard to the matters listed in
Article 83(1) and (2) UK GDPR, so far as relevant.
96. Article 83(1) UK GDPR requires the Commissioner to ensure that the
imposition of a penalty is effective, proportionate, and dissuasive in each
individual case.
97. Article 83(2) UK GDPR requires the Commissioner to give due regard to
the following:
(a) the nature, gravity and duration of the infringement taking into
account the nature scope or purpose of the processing concerned
as well as the number of data subjects affected and the level of
damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the
damage suffered by data subjects;
43FOR PUBLIC RELEASE
(d) the degree of responsibility of the controller or processor taking
into account technical and organisational measures implemented
by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or
processor;
(f) the degree of cooperation with the Commissioner, in order to
remedy the infringement and mitigate the possible adverse effects
of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the
Commissioner, in particular whether, and if so to what extent, the
controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously
been ordered against the controller or processor concerned with
regard to the same subject-matter, compliance with those
measures;
(j) adherence to approved codes of conduct pursuant to Article 40
or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the
circumstances of the case, such as financial benefits gained, or
losses avoided, directly or indirectly, from the infringement.
B. The Commissioner’s decision on whether to impose a penalty
44FOR PUBLIC RELEASE
98. Paragraphs 101 to 164 below set out the Commissioner’s assessment of
whether it is appropriate to issue a penalty in relation to the
infringements set out above. That assessment involves consideration of
the factors in Articles 83(1) and 83(2) UK GDPR. The order in which
these considerations are set out below follows the Commissioner’s Data
Protection Fining Guidance, (the “Fining Guidance”): 105
a) seriousness of the infringements (Article 83(2)(a), (b) and (g));
b) relevant aggravating or mitigating factors (Article 83(2)(c)-(f),
(h)-(k));
c) effectiveness, proportionality and dissuasiveness (Article 83(1)).
99. The Commissioner has not conducted a separate assessment for each
infringement. As explained further below, the Commissioner considers
the three infringements are of the same nature. 106 An assessment of
whether it is appropriate to impose a penalty has been taken in relation
to the three infringements collectively.
100. The Commissioner’s decision is to impose a penalty.
Seriousness of the infringements: Article 83(2)(a) the nature, gravity and
duration of the infringements
101. In assessing the seriousness of the infringements, the Commissioner has
given due regard to their nature, gravity and duration.
Nature of the infringements
105Data Protection Fining Guidance | ICO, 18 March 2024.
106
See footnote 145.
45FOR PUBLIC RELEASE
102. Article 5(1)(f) UK GDPR (integrity and confidentiality) is a basic principle
for processing. An infringement of this provision is subject to the higher
107
maximum fine, increasing its seriousness.
Gravity of the infringements
103. In assessing the gravity of the infringements, the Commissioner has
considered the nature, scope and purpose of the Relevant Processing, as
well as the number of data subjects affected by the Relevant Processing
and the level of damage they have suffered. 108
104. In the absence of appropriate security measures, the nature of the
Relevant Processing was likely to result in high risk to data subjects for
the reasons set out at paragraphs 68 to 79 above. The data subjects
were at greater risk because of their occupation as PSNI officers/staff
(especially officers involved in covert roles).
105. As regards the scope of the Relevant Processing, the Commissioner
notes that its territorial scope extended to officers and staff from across
the whole of Northern Ireland.
106. The purpose of the Relevant Processing was to respond to FOI requests.
The Commissioner considers this to be a regular activity of the PSNI (and
of all public authorities). Organisations are expected to ensure
compliance in respect of all their processing, but particularly so in respect
of processing which forms part of a regular activity. If an organisation
cannot ensure compliance in respect of regular activities, this diminishes
107£17,500,000, or in the case of an undertaking, up to 4 % of the total worldwide
annual turnover of the preceding financial year, whichever is higher (Article
83(5)(a) UK GDPR).
108Article 83(2)(a) UK GDPR.
46FOR PUBLIC RELEASE
confidence in the organisation’s compliance overall. The purpose of the
Relevant Processing therefore increases the gravity of the infringements.
107. The Relevant Processing, and therefore the infringements, affected all
PSNI officers and staff. In the context of the 8 August Incident, this
amounted to 9,483 affected data subjects. When considered in light of
the level of damage suffered, this factor increases the gravity of the
infringements. Further consideration of the number of data subjects who
suffered damage as a result of the 8 August Incident is set out at
paragraph 112 below.
108. In relation to the level of damage suffered by affected data subjects, the
Fining Guidance makes clear that the Commissioner will have regard to
both potential and actual damage.
109. The infringements involved a failure to protect the workforce data from
unauthorised disclosure as “hidden” data. The types of damage which
data subjects could have potentially suffered as a result of unauthorised
disclosure have been set out at paragraphs 72 and 73 above. They
include the gravest type of damage: severe physical injury and even
death. This increases the gravity of the infringements.
110. The Commissioner is of the view that, on the balance of probabilities,
the 8 August Incident occurred as a consequence of the infringements
set out in this Penalty Notice. In assessing the level of damage suffered
as a result of the infringements, the Commissioner has therefore had
regard to the damage suffered by data subjects as a result of the 8
August Incident. As stated in the Fining Guidance, however, “The
Commissioner’s assessment of the level of damage suffered by data
subjects will be limited to what is necessary to evaluate the seriousness
of the infringement. Typically, it would not involve quantifying the harm,
either in aggregate or suffered by specific people. It is also without
47FOR PUBLIC RELEASE
prejudice to any decisions a UK court may make about awarding
compensation for damage suffered.”
111. Complaints lodged by data subjects under Article 77 UK GDPR have
assisted the Commissioner’s assessment of the level of actual damage
suffered. Five bulk complaints 109from staff associations and networks
were lodged with the Commissioner, as well as six individual complaints.
The five bulk complaints were lodged by the Police Federation for
Northern Ireland, the Superintendents’ Association, the Catholic Police
Guild, the Ethnic Minority Police Association and the Christian Police
Association.
112. The Commissioner notes that not all affected data subjects will have
suffered damage and that of those who did, the types and level of
damage are highly specific to individual circumstances. In considering
the number of data subjects who suffered damage as a result of the 8
August Incident, the Commissioner has had regard to the high volume
of referrals made to the PSNI’s Emergency Threat Management Group
(such that the PSNI had to prioritise them by implementing a RAG rating
system). Of the referrals received as of 22 September 2023, 879 had
been categorised as red, 1,616 had been categorised as amber and
1,543 had been categorised as green. 110 As of 18 October 2023, a total
of 4,024 111 referrals had been made. The Commissioner also
109
On 18 September 2023 the PSNI and the ICO issued a joint statement to all PSNI
officers and staff. The statement informed officers and staff that the ICO was
engaging with staff associations and networks regarding complaints and that
individuals did not need to lodge complaints separately (Joint comms email sent to
PSNI staff, 18 September 2023). The ICO met with representatives of the
associations and networks on 18 October 2023 and it was agreed that the
associations and networks would gather information from their members and
provide this to the ICO in the form of bulk complaints.
110PSNI Second enquiries response letter, 22 September 2023, p. 13.
111Though the PSNI had identified over 800 of these to be duplicate referrals.
(Internal meeting notes from PSNI visit on 18 October 2023, p. 2).
48FOR PUBLIC RELEASE
understands that more than 6,000 claims have been brought against the
112
PSNI for damages in connection with the 8 August Incident.
113. Two types of (non-material) damage appear to the Commissioner to be
common among many affected data subjects (albeit at varying levels of
severity):
a) psychological harm (fear and anxiety about personal safety and
the safety of family and friends); and
b) loss of control of personal data (diminished ability to control
knowledge of occupation).
114. The Commissioner has not seen evidence of data subjects suffering
physical injury from dissident republicans as a result of the 8 August
Incident.
115. Below, the Commissioner sets out some examples from the lodged
complaints which he has had regard to in assessing the level of damage
113
suffered. The Commissioner is aware that these examples are likely
to represent the most severe levels of damage suffered. This is,
however, precisely why the Commissioner considers these examples to
be instructive in evaluating the gravity of the infringements.
Examples of damage suffered from the lodged complaints
“How has this impacted on me? I don’t sleep at night. I continually get
up through the night when I hear a noise outside to check that
112
High Court order will deliver ‘swift management’ of compensation claims by those
affected by PSNI data breach – The Irish News, 24 March 2024 (accessed 26
September 2024).
113Naturally, these examples reflect the damage suffered from 8 August 2023 up to
the time at which the complaints were lodged. The last complaint was lodged in
February 2024.
49FOR PUBLIC RELEASE
everything is ok. I have spent over £1000 installing modern CCTV and
lighting around my home, because of the exposure.”
“I am a Catholic police officer … My name as a police officer, which I tried
so hard to conceal from family, acquaintances and wider society is now
available to anyone. … I worry most days that at any minute, we don’t
know who is sitting scrutinising that list and trying to investigate and
piece together the intel they may already have amassed and make it
into something actionable to harm us with the data they have now been
furnished with...”
“As a result of the spreadsheet data being released to the public… I have
increased security at my home but also at my parents’ home. I am
struggling to sleep and find myself awake at night checking cameras. I
have not visited my family home since the spreadsheet data was
released as I believe it would put them in further danger. Furthermore,
my parents do not want to visit my home for fear that someone would
follow them to my address.”
“… we have recently had to reconsider all our activities particularly as a
result of the recent data breach with my name being in the public domain
and the fact that it lists me as working in [PSNI department]. … Following
the data breach my wife … has become extremely concerned as to our
own and our children’s personal security, we have no security measures
in our home and financially we have no surplus money to install these.”
“I have gone to great trouble to ensure that I have remained invisible,
with no social media presence, removal from the electoral roll, 192.com,
never revealing my job to others and lying about where I work whenever
asked. … I have trouble sleeping, my children … are all stressed about
my welfare, some of them have told me that they have nightmares about
me getting attacked.”
50FOR PUBLIC RELEASE
“I believe the risk to my personal security and the safety of my wife and
…young children is more significant for me due to the fact that I grew up
in the area where we are most active. As a result of this many persons
involved and linked to paramilitary groups and wider criminal circles in
this area would know me or remember me from both school and
childhood. I have gone to great lengths to keep my occupation
confidential. Only close family and friends previously had knowledge of
it. I have a minimal social media footprint. I have also spent a
considerable amount of effort to make our home private and secure to
reduce potential for attacks. This has now been severely compromised
and will require further expense to upgrade.”
“Everything has culminated and become too much for me to the point
that I have accepted another job outside of the police. I am essentially
taking a pay cut … not to mention leaving the job that I dreamed of since
I was a small child and geared my whole life towards. To say I am
devastated is an understatement but I feel I have no choice.”
“I have quite a unique surname which had been shared in the data
breach, I feel that this not only puts my name in the hands of individuals
who may seek to do harm but also affects my own personal family as
well and my wider family… The PSNI recently had a senior Officer shot
multiple times so the threat does feel very real, in that there are
elements that seek to cause this harm to Police Officers on a daily basis.
This data breach will have aided them in doing so.”
“The breach is having an impact on my personal life as my family are
now very anxious and concerned for their and my welfare. I don’t sleep
well maybe a couple of hours a night, I formulate plans in my head if I
get attacked at home, away from home, in my car, and it’s a lonely
experience.”
51FOR PUBLIC RELEASE
116. The above statements and those contained in the many other lodged
complaints indicate the significant level of actual damage suffered, and
therefore the gravity of the infringements. The Commissioner gives very
significant weight to this factor in his assessment of the gravity of the
infringements.
117. To summarise the Commissioner’s assessment of the gravity of the
infringements: the nature and purpose of the Relevant Processing, the
number of data subjects affected, and the level of damage suffered by
them all increase the gravity of the infringements. The gravity of the
infringements increases their seriousness.
Duration of the infringements
118. The duration of the infringements is from 25 May 2018 (the date of
114
commencement of the DPA and application of the GDPR ) until 14 June
115
2024 (when the infringements were remedied ).
119. The risk of damage (i.e. potential damage) to data subjects existed from
at least as early as 25 May 2018 and could have materialised at any
point during this lengthy period. The risk of damage materialised on 8
August 2023.
120. The duration of the infringements increases their seriousness.
Conclusion on the nature, gravity and duration of the infringements
114That is, the PSNI infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR ever since
its obligations under those provisions arose in respect of the Relevant Processing.
11See paragraphs 90 to 93 above.
52FOR PUBLIC RELEASE
121. The nature, gravity and duration of the infringements all increase the
seriousness of the infringements.
Seriousness of the infringements: Article 83(2)(b) the intentional or negligent
character of the infringements
122. The Commissioner does not consider that the PSNI acted intentionally in
committing the infringements. The Commissioner does, however, find
that the infringements were clearly negligent in character.
123. The PSNI ought to have known the nature and severity of the risk
described at paragraphs 69 to 73 above.
124. The PSNI ought to have known the likelihood of risk (the factors set out
at paragraphs 77 and 78 above).
125. In particular, the PSNI ought to have known that spreadsheet files are
prone to hidden data (and therefore human error) for the following
reasons:
a) The Commissioner’s FOI guidance raises awareness of this issue:
53FOR PUBLIC RELEASE
i. Under the heading “Is there anything else we should
consider before sending the information?”, first published
on the ICO website in July 2013: 116
ii. In the Commissioner’s more detailed FOI guidance on
“Means of communication information (section 11)”, first
published on 11 October 2021: 117
b) In June 2018, the ICO published the guidance “How to disclose
information safely – removing personal data from information
116Finding and preparing the information | ICO.
117Means of communicating information (section 11) | ICO.
54FOR PUBLIC RELEASE
requests and datasets” on its website. 118This guidance discusses
in detail the various ways in which electronic files can contain
hidden data and how to check for such hidden data. In relation
to spreadsheet files, for instance, the guidance suggests
exporting data to a text file such as CSV, 119and using (in the
case of Excel) the “Document Inspector” tool. 120 A checklist is
provided at the end, with questions such as “Are you sure you
know where all the data is? … Are there hidden work sheets? 121
… Is the file size larger than you might expect for the volume of
data being disclosed?”
c) Other relevant guidance available prior to and since the 8 August
Incident includes:
i. Guidance from the National Archives (last updated April
2016) “Redaction Toolkit: Editing exempt information from
122
paper and electronic documents prior to release”, which
is aimed at “all authorities subject to the Freedom of
Information Act (FOIA), Data Protection (DP) legislation
and Environmental Information Regulations (EIRs), from
central Government departments to local, police, health
and education authorities.”
118How to disclose information safely (ico.org.uk), June 2018 (accessed via search
engine 26 September 2024). Between June 2018 and August 2022, a link to this
guidance was contained in the full index of freedom of information and
environmental information guidance on the ICO website. After August 2022, the link
to this guidance was removed from the full index. The guidance nevertheless
remained on the ICO website and could be found through search engines.
119
On attempting to export data to a text file, a dialog box opens reminding the
user that only the current worksheet will be saved to the new file.
120Though use of this tool would not alert a user to the presence of worksheets
which are not visible as tabs.
121
As noted at paragraph 21(g), in the case of the 8 August Incident, the worksheet
containing the personal data was not hidden, it was simply not visible as a tab.
122redaction_toolkit.pdf (nationalarchives.gov.uk), April 2016 (accessed 26
September 2024).
55FOR PUBLIC RELEASE
ii. The UK Government’s guidance “Creating and sharing
spreadsheets” (first published June 2021). 123
iii. The National Police Chiefs’ Council (“NPCC”) “Manual of
Guidance for the FOIA” 124 (v.8.0, dated January 2021) also
contained guidance stating, “If forces choose to provide the
information in a re-usable format (pivot tables) they must
ensure that any “hidden” information is redacted so as not
to disclose data unintentionally.” 125
iv. Advice (sent directly to all police forces) from the NPCC’s
National Police Freedom of Information and Data Protection
Unit in June 2023. This advice referred specifically to the
risk of “hidden” data in Excel files. The advice included a
link to the ICO’s May 2018 guidance, and even highlighted
how there can be more worksheets than there are visible
tabs.126
123
Creating and sharing spreadsheets - GOV.UK (www.gov.uk), June 2021
(accessed 26 September 2024).
124Microsoft Word - NPCC Manual Of Guidance 2021 v8.0 (cityoflondon.police.uk),
January 2021 (accessed 26 September 2024).
125The PSNI stated that this Manual is “supplied to all staff” (PSNI Initial enquiries
response letter, 29 August 2023). For the avoidance of doubt, the Commissioner
does not consider the supplying of this document to have been (either on its own or
in conjunction with the procedures, policies and guidance set out at paragraphs 32
to 47 above) an appropriate security measure. Whilst the Manual raises the issue of
“hidden” data, it provides very limited guidance on it. The PSNI has also been
unable to point to any requirement for CIB staff to confirm that they had read and
understood the Manual.
126PSNI internal emails re NPCC FOI advice, 21 June 2023. When asked to explain
how the PSNI acted on this piece of advice, the PSNI stated that the advice was
circulated to FOI Decision Makers and line managers within CIB by email (PSNI
Further enquiries response letter, 22 March 2024, p. 4). The Commissioner does not
consider this action (either on its own or in conjunction with the procedures, policies
and guidance set out at paragraphs 32 to 47 above) amounted to an appropriate
security measure. Notably, the PSNI has been unable to point to any requirement
for CIB staff to confirm that they had read and understood the advice. The email
received from the NPCC was simply forwarded to CIB staff without any further
instruction from the PSNI. The PSNI has also been unable to demonstrate that the
advice was properly integrated into the FOI handling procedure. Indeed, was
accepted by the current Chief Constable in oral evidence to the Northern Ireland
Affairs Committee on 13 December 2023: “We had had a number of warnings with
56FOR PUBLIC RELEASE
d) The ICO has fined data controllers (under the Data Protection Act
1998) for failing to take appropriate measures against
unauthorised processing of personal data (in contravention of the
seventh data principle) 127 when using spreadsheet files to share
information externally:
i. In April 2018, the Royal Borough of Kensington and
128
Chelsea, £120,000.
ii. In April 2016, Blackpool Teaching Hospitals NHS
129
Foundation Trust, £185,000.
130
iii. In August 2013, Islington Borough Council, £70,000.
regards to the use of PDFs. I think the report references the National Police Chiefs’
Council in January and June of last year sending out notifications about best
practice. Some of it was adopted in the PSNI and some of it was not. There was no
standard operating procedure to bring that all of that together.”
127
The seventh data protection principle read as follows: “Appropriate technical and
organisational measures shall be taken against unauthorised or unlawful processing
of personal data and against accidental loss or destruction of, or damage to,
personal data.”
128The contravention was as follows: (a) The Council did not provide the FOI team
with any (or any adequate) training on the functionality of Excel spreadsheets or
possible alternatives; (b) The Council had in place no guidance for the FOI team to
check spreadsheets for data hidden in any pivot table before they are disclosed
under FOI.
129
The contravention was as follows: (a) The Trust had in place no procedure
governing requests for information from ESR [the electronic staff records system] to
control its use and further dissemination; (b) The Trust did not provide the team
with any (or any adequate) training on the functionality of Excel spreadsheets or
possible alternatives; (c) The Trust had in place no guidance for the web services
team to check the spreadsheets for hidden data before they were uploaded to its
website.
130The contravention was as follows: a) Whilst the data controller had dedicated
IGOs [Information Governance Officers] in post, there was no formal or consistent
process in place for checking an FOI response; b) There were no specific checking
procedures built into that process to check whether personal or sensitive personal
data was present ahead of providing a response to an FOI request; c) There were
no sufficient procedures in place to train staff to carry out such checks and as such
the data controller failed to equip its staff with the appropriate knowledge and skills.
… i) An effective training programme for staff had not been implemented. The
person responsible for disclosing the information had not been trained properly to
enable them to identify sensitive personal data contained in the pivot tables nor had
they received any specific data protection training. They were therefore unable to
57FOR PUBLIC RELEASE
These cases further raised awareness of how spreadsheet files
are prone to containing hidden data.
126. Having regard to paragraph 83 above, the Commissioner considers an
appropriate organisational measure would have been straightforward
and uncostly to implement.
127. The fact that the PSNI ought to have known the likelihood, nature and
severity of the risk, coupled with the ease with which an appropriate
security measure could have been implemented, renders the PSNI’s
infringements of Articles 5(1)(f) and 32(1) UK GDPR negligent. It was
also negligent not to carry out a data security risk assessment as
required by Article 32(2) UK GDPR.
128. The clearly negligent character of the infringements increases their
seriousness.
Seriousness of the infringements: Ar ticle 83(2)(g) categories of personal data
affected
129. The Commissioner does not consider the workforce data 131which was
subject to the Relevant Processing to be special category data.
mitigate against the risk of an unlawful disclosure. ii) Whilst the data controller had
some standard procedures in place for dealing with FOI requests, the data controller
did not have appropriate technical or organisational measures in place to firstly
screen and check whether personal data was present in information being prepared
for disclosure and secondly to check it, prior to it being disclosed in response to an
FOI request. iii) There is no documented procedure that specified that a request
must be checked by a peer.
131Specifically, the data file called “Combined 3C & Perlist”, which includes (for all
officers and staff who are in post, suspended or on a career break at the time of
download) the following categories of personal data: surnames and first name
initials, job role, rank/grade, department, location of post, contract type, gender
and PSNI service/staff number.
58FOR PUBLIC RELEASE
130. The Commissioner notes, however, paragraph 72 of the Fining Guidance:
“In assessing seriousness, the Commissioner may also take into account
other types of personal data affected by the infringement where that
data may be regarded as particularly sensitive. This includes where the
dissemination of the personal data is likely to cause damage or distress
to data subjects…”.
131. For the reasons set out at Section IV(B) (Nature of the personal data
and context of the Relevant Processing), the workforce data was
sensitive. Where that data related to officers involved in covert roles, it
was particularly sensitive. Disclosure of the workforce data was likely to
cause damage to data subjects. This further increases the seriousness
of the infringements.
Conclusion on seriousness of infringements
132. Having considered the nature, gravity and duration of the infringements,
as well as their clearly negligent character and the categories of personal
data affected, the Commissioner categorises the infringements as having
a high degree of seriousness.
133. In the absence of any aggravating or mitigating factors, the
infringements would warrant the imposition of a penalty. The
Commissioner’s consideration of any aggravating or mitigating factors
follows below.
59FOR PUBLIC RELEASE
Relevant aggravating or mitigating factors: Article 83(2)(c) any action taken
by the controller or processor to mitigate the damage suffered by the data
subjects
134. In assessing this factor, the Commissioner has considered the actions
taken by the PSNI to mitigate both actual and potential damage suffered
as a result of the 8 August Incident. The Commissioner has considered
the relatively prompt removal of the disclosed data from the
WhatDoTheyKnow website, the PSNI’s criminal investigation, the steps
taken to reduce the identifiability of PSNI officers and staff and the
support the PSNI offered them.
135. Naturally, the most effective mitigating action which the PSNI could have
taken was to seek the removal of the disclosed data from the
WhatDoTheyKnow website promptly. The Commissioner notes that the
PSNI requested removal of the disclosed data from the
WhatDoTheyKnow website 37 minutes after becoming aware of the
breach.132 The Commissioner considers this to be a relatively prompt
response.
136. The Commissioner notes the criminal investigation launched by the PSNI
on 9 August 2023 to investigate possible offences under the Terrorism
Act 2000 133. Using IP addresses, the PSNI sought to identify all
individuals who had accessed the disclosed data on the
WhatDoTheyKnow website. 134As of 18 October 2023, the investigation
had led to six arrests: one individual was charged, and five individuals
were bailed. As of 18 October 2023, the investigation had also been
132PSNI Initial enquiries response letter, 29 August 2023, p. 2.
133The disclosed data was considered to be information of a kind likely to be useful
to a person committing or preparing an act of terrorism.
134PSNI officers and staff who were identified as having accessed the disclosed data
were instructed to delete it.
60FOR PUBLIC RELEASE
monitoring the dark web for the disclosed data. 135 Public statements
made by the PSNI in connection with the arrests have reiterated that the
PSNI “… continue to work toward establishing those who possess
information relating to the data breach on August 8th, and will take
action to ensure that any criminality identified is dealt with robustly to
keep communities, and our officers and staff who serve them, safe.” 136
137. In a briefing to the Commissioner on 18 October 2023, the PSNI
suggested the criminal investigation, the arrests and public statements
are all likely to have made possession of the disclosed data
undesirable. 137 The Commissioner agrees this is likely to be true for
ordinary members of society, and that this goes some way to reducing
the risk of data subjects’ occupations becoming known to their family
and friends.
138. The Commissioner thinks it unlikely, however, that dissident republicans
would be much deterred by the PSNI’s actions. Indeed, as early as 10
August 2023, the then Chief Constable stated, “We have since become
aware of dissident republican claims that they are in possession of data
138
circulating on WhatsApp.” On 14 August 2023, the then Chief
Constable stated, “We are now confident that the workforce data set is
139
in the hands of Dissident Republicans”.
139. Paragraph 26 of this Penalty Notice sets out the steps taken by the PSNI
with the aim of reducing the identifiability of PSNI officers and staff.
135PSNI Op Sanukite Update, 18 October 2023 and Internal meeting notes from
PSNI visit on 18 October 2023, p. 2.
136Detectives investigating criminality linked to freedom of information data breach
make arrest | PSNI, 19 October 2023 (accessed 26 September 2024).
137Internal meeting notes from PSNI visit on 18 October 2023.
138
Statement from the Chief Constable on the data breach investigation | PSNI, 10
August 2023 (accessed 26 September 2024).
139Update from the Chief Constable on the data breach investigation | PSNI, 14
August 2023 (accessed 26 September 2024).
61FOR PUBLIC RELEASE
Those steps involved changing officer and staff identification numbers
and reducing their use.
140. The Commissioner is not in a position to assess the effect of these steps
on the risks identified at paragraph 69 above (namely, the risk of data
subjects being identified as PSNI officers/staff by family and friends, as
well as the risk of physical identification by dissident republicans).40
141. Paragraph 27 of this Penalty Notice sets out the main steps taken by the
PSNI to support officers and staff following the 8 August Incident.
142. The Commissioner does not consider these actions (the removal of the
disclosed data from the WhatDoTheyKnow website, the criminal
investigation, the steps to reduce the identifiability of officers and staff
and the support offered to them), taken collectively, amount to a
mitigating factor in his decision on whether to impose a penalty. These
actions were all entirely in line with what would reasonably be expected
of a police force responding to a personal data breach of this scale and
severity.
Relevant aggravating or mitigating factors: Article 83(2)(d) the degree of
responsibility of the controller or processor
143. A failure to implement appropriate technical or organisational measures
is inherent to infringements of Articles 5(1)(f) and 32(1) UK GDPR. The
PSNI’s responsibility for these infringements is therefore also inherent.
144. The PSNI was the sole controller in respect of the Relevant Processing.
The PSNI therefore bears full responsibility for the infringements.
14The notice of intent given to the PSNI on 20 May 2024 invited representations in
this regard, but none were received.
62FOR PUBLIC RELEASE
145. The Commissioner considers that any public authority responding to FOI
requests, regardless of size and financial position (i.e. the resources
available to it), could be reasonably expected to implement an
appropriate security measure which incorporates elements analogous to
those set out at paragraph 83 above - even where the nature of the
processing is low-risk.
146. The PSNI covers the second largest demographic in the UK and in the
financial year 2022-2023, received approximately £840 million in
funding from the Northern Ireland Assembly. 141The Relevant Processing
was high risk (see paragraphs 68 to 79 above). It follows even more that
the PSNI could have been reasonably expected to have implemented an
appropriate security measure.
147. The PSNI’s degree of responsibility is therefore an aggravating factor in
the Commissioner’s decision to impose a penalty.
Relevant aggravating or mitigating factors: Article 83(2)(e) any relevant
previous infringements by the controller or processor
148. The Commissioner is not aware of any relevant previous infringements.
This factor is therefore not relevant to his decision.
Relevant aggravating or mitigating factors: Article 83(2)(f) the degree of
cooperation with the Commissioner
149. Controllers and processors are expected to cooperate with the
Commissioner in the performance of the Commissioner’s tasks, for
141Police Service of Northern Ireland - Annual Report and Accounts for the year
ended 31 March 2023 (psni.police.uk), p. 106, 7 July 2023 (accessed 26 September
2024).
63FOR PUBLIC RELEASE
example by responding to requests for information and attending
meetings. The Commissioner considers that the ordinary duty of
cooperation is required by law (Article 31 UK GDPR) and meeting this
standard is therefore not a mitigating factor.
150. The PSNI has responded to requests for information during the
Commissioner’s investigation in a way that has enabled the enforcement
process to be concluded significantly more quickly and effectively. In
doing so, the Commissioner’s view is that the PSNI has demonstrated
good cooperation. This would, however, be reasonably expected of any
public authority. The Commissioner therefore considers this to be a
neutral, rather than mitigating, factor.
Relevant aggravating or mitigating factors: Article 83(2)(h) the manner in
which the infringements became known to the Commissioner
151. The infringements became known to the Commissioner as a result of his
investigation. That investigation was prompted by the 8 August Incident.
152. Although the Commissioner was notified by the PSNI of the 8 August
Incident, that notification, however prompt, was a legal requirement
(Article 33 UK GDPR).
153. The Commissioner therefore considers this factor to be neutral.
Relevant aggravating or mitigating factors: Article 83(2)(i) measures
previously ordered against the controller or processor
154. There are no measures referred to in Article 58(2) UK GDPR which have
previously been ordered against the PSNI concerning the same subject
64FOR PUBLIC RELEASE
matter. This factor is therefore not relevant to the Commissioner’s
decision.
Relevant aggravating or mitigating factors: Article 83(2)(j) adherence to
approved codes of conduct or certification mechanisms
155. There are no relevant codes of conduct or approved certification
mechanisms. This factor is therefore not relevant to the Commissioner’s
decision.
Relevant aggravating or mitigating factors: Article 83(2)(k) any other
applicable aggravating or mitigating factors
156. There are no other aggravating or mitigating factors applicable to the
circumstances of the case. This factor is therefore not relevant to the
Commissioner’s decision.
Conclusion on relevant aggravating and mitigating factors
157. The Commissioner has taken into account the degree of the PSNI’s
responsibility as an aggravating factor.
158. Consideration of the seriousness of the infringements (the first stage of
the assessment) indicated that a penalty is appropriate. The aggravating
factor strengthens that assessment.
159. The final stage involves consideration of the effectiveness,
proportionality and dissuasiveness of a penalty.
65FOR PUBLIC RELEASE
Effectiveness, proportionality and dissuasiveness
160. The Commissioner considers imposition of a penalty would be effective
and dissuasive. It would both promote compliance with data protection
legislation and provide an appropriate sanction for the infringements.
The PSNI will continue to have to process personal data when responding
to FOI requests, so there is a need to deter the PSNI from infringing the
security provisions of the UK GDPR again. There is also a need to deter
other public authorities subject to the Freedom of Information Act 2000
from committing such infringements.
161. Taking into account the high degree of seriousness of the infringements
(notably the damage suffered by data subjects) and the PSNI’s size and
financial position, the Commissioner considers that the imposition of a
penalty would be proportionate – it would not exceed what is appropriate
and necessary in the circumstances to ensure compliance with data
protection legislation and to provide an appropriate sanction for the
infringements.
C. Conclusion on decision on whether to impose a penalty
162. In light of the assessment above, the Commissioner has decided to
impose a penalty.
163. In June 2022, the Commissioner set out a revised approach to public
142
sector enforcement to be trialled over two years. To support this
approach, the Commissioner committed to working proactively with
142Open letter from UK Information Commissioner John Edwards to public
authorities, 30 June 2022. The revised approach (which was trialled for a two-year
period ending in June 2024) is currently under review. The revised approach
continues to be applied pending the outcome of that review: ICO statement on its
public sector approach trial | ICO.
66FOR PUBLIC RELEASE
senior leaders in the public sector to encourage compliance, prevent
harms before they occur, and learn lessons when things have gone
wrong. In practice, this means that for the public sector the
Commissioner has committed to increasing the use of public reprimands
and enforcement notices, only issuing fines in the most egregious
cases. 143
164. The Commissioner has had regard to the revised public sector approach
in reaching his decision to impose a penalty in this case. The
Commissioner is satisfied that this case is sufficiently egregious to
warrant the imposition of a penalty.
VI. CALCULATION OF PENALTY
165. The Fining Guidance sets out a five-step approach which the
Commissioner has applied to calculate the amount of the penalty:
Step 1: Assessment of the seriousness of the infringement.
Step 2: Accounting for turnover.
Step 3: Calculation of the starting point.
Step 4: Adjustment to take into account any aggravating or mitigating
factors.
Step 5: Assessment of whether the fine is effective, proportionate and
dissuasive.
Following the application of this five-step approach, the Commissioner
has gone on to consider the amount of the penalty in light of his revised
approach to public sector enforcement.
Statutory maximum penalty
143
See ICO25 – Our Regulatory Approach, 7 November 2022, p. 7.
67FOR PUBLIC RELEASE
166. Article 83(3) UK GDPR states that “if a controller or processor
intentionally or negligently, for the same or linked processing operations,
infringes several provisions of the UK GDPR, the total amount of the
administrative fine shall not exceed the amount specified for the gravest
infringement”. The PSNI’s three infringements (of Articles 5(1)(f), 32(1)
and 32(2) UK GDPR) were all for the same processing operations (the
Relevant Processing). The gravest infringement was that of Article
5(1)(f) UK GDPR.
167. The infringement of Article 5(1)(f) UK GDPR, which is a basic principle
for processing, is subject to the statutory maximum of £17.5 million
(Article 83(5)(a) UK GDPR). 144 Had the Commissioner imposed a
separate penalty for each of the three infringements, the total of those
three penalties could not have exceeded £17.5 million.
168. In this case, however, the Commissioner has calculated a single penalty
for all three infringements. This is because the three provisions infringed
are all of the same nature: they all seek to ensure the security of
personal data processing. 145The calculation proceeds on the basis of a
single statutory maximum of £17.5 million.
A. Step 1: Assessment of the seriousness of the infringement
144The turnover-based higher maximum applies only to undertakings with a total
worldwide annual turnover exceeding £437.5 million. The PSNI is not an
undertaking.
145For the avoidance of doubt, the Commissioner considers Articles 5(1)(f) and 32
UK GDPR to be evidently distinct provisions of the UK GDPR (notwithstanding the
degree of overlap). Had he calculated penalties for infringements of these provisions
separately, the Commissioner would have had to ensure, in accordance with Article
83(3) UK GDPR, that the total penalty did not exceed the amount specified for the
gravest infringement (that of Article 5(1)(f) UK GDPR). In this Penalty Notice,
however, the Commissioner has simply calculated a single penalty.
68FOR PUBLIC RELEASE
169. As set out at paragraphs 109 to 115 of the Fining Guidance, the
Commissioner determines a starting point for the penalty first by
assessing the seriousness of the infringement. The Commissioner
categorises the infringement according to its degree of seriousness and
then chooses a starting point based on a percentage of the relevant
applicable statutory maximum.
170. In this Penalty Notice (paragraph 132 above), the Commissioner has
categorised the infringements as having a high degree of seriousness.
This means that the starting point will be between 20% and 100% of the
relevant legal maximum (£17.5 million).
171. The Commissioner decides that the infringements warrant a starting
point of 80%.
172. A starting point lower than 80% is not warranted for the reasons set out
at paragraphs 101 to 132 above. The Commissioner does not repeat
those reasons here.
173. A starting point higher than 80% is not warranted for the following
reasons:
a) the purpose of the Relevant Processing was to comply with
statutory obligations;
b) the Relevant Processing was not extensive;
c) the infringements were not intentional.
B. Step 2: Accounting for turnover
174. Having assessed the seriousness of the infringements, the Commissioner
next determines any adjustment to reflect the size of the recipient of the
69FOR PUBLIC RELEASE
penalty. 146This is consistent with the need to ensure the amount of the
penalty is effective, proportionate and dissuasive.
175. Where the recipient is an undertaking, the Commissioner will determine
the adjustment by reference to the undertaking’s turnover. As explained
at paragraph 119 of the Fining Guidance, where a recipient is not an
undertaking and therefore does not have turnover (as is the case with
the PSNI), the Commissioner may instead have regard to other
indicators of the recipient’s financial position, such as assets, funding or
administrative budget.
176. Where a recipient is a public body, the Commissioner’s usual practice is
to have regard to the recipient’s administrative budget or expenditure.
The benefit of this approach is twofold: firstly, it acts as an easily
understood and standardised comparator; secondly, whilst still
correlated with the scale of the public body, it excludes core activities
and thus limits any adverse impact on public services.
177. As a measure of administrative expenditure, the Commissioner has used
the PSNI’s figure for actual expenditure on administrative and industrial
147 148
staff pay in the financial year 2023/24. This figure was £117 million.
178. As set out in the Fining Guidance, in the case of an undertaking with an
annual turnover of between £100 million and £250 million, the
Commissioner may apply an adjustment factor of 20% to 50% to the
146
As set out at paragraph 128 of the Fining Guidance, any such adjustment is
discretionary.
147Figure obtained from PSNI Finance Report provided to the Commissioner on 11
April 2024. As the financial year 2023/24 had only just ended, the PSNI was only
able to provide provisional figures. The PSNI’s final audited accounts for the year
2023/24 were laid before the Northern Ireland Assembly on 4 July 2024: Police
Service of Northern Ireland - Annual Report and Accounts for the year ended 31st
March 2024 (psni.police.uk) (accessed 26 September 2024).
148Rounded down from £117,653,000.
70FOR PUBLIC RELEASE
starting point. The Commissioner considers this range of adjustment is
also appropriate in this case.
179. As he has only taken into account the PSNI’s administrative
expenditure, the Commissioner considers a figure at the higher end of
this range of adjustment is appropriate: the Commissioner decides that
an adjustment of 40% is appropriate to reflect the PSNI’s size.
C. Step 3: Calculation of the starting point
180. The starting point of the penalty is calculated as follows:
Fixed statutory maximum amount (£17.5 million) x adjustment for
seriousness (80%) x turnover adjustment (40%) = £5,600,000 (£5.6
million)
D. Step 4: Adjustment to take into account any aggravating or
mitigating factors.
181. The Commissioner next takes into account any aggravating or mitigating
factors. These factors may warrant an increase or decrease in the level
of the penalty calculated at the end of Step 3 (the starting point of £5.6
million).
182. One aggravating factor influenced the Commissioner’s decision to
impose a penalty: the PSNI’s degree of responsibility (see paragraphs
143 to 147 above). On this occasion, the Commissioner considers the
starting point adequately reflects the PSNI’s degree of responsibility and
so an adjustment for this aggravating factor is not required. There is
therefore no adjustment at Step 4.
71FOR PUBLIC RELEASE
E. Step 5: Adjustment to ensure the fine is effective, proportionate
and dissuasive
183. As set out at paragraph 142 of the Fining Guidance, “the aim of Steps 1
to 4 of the calculation is to identify a fine amount that is effective,
proportionate and dissuasive. The purpose of Step 5 is to provide the
opportunity for the Commissioner to check that is the case.”
184. The Commissioner considers that a penalty of £5.6 million will be both
effective and dissuasive. A penalty of this amount will have a genuine
deterrent effect, taking into account both the specific deterrence to the
PSNI and the general deterrence to other organisations.
185. The penalty is specific to the egregious nature of the infringements and
reflects the PSNI’s economic situation. By adequately reflecting the fact
that the PSNI is a public body, the turnover adjustment applied (40%)
has ensured that the penalty is proportionate and appropriate to the size
and financial position of the PSNI. The penalty is not more than is
appropriate or necessary in the circumstances.
F. The Commissioner’s revised approach to public sector
enforcement
186. As explained at paragraph 163, in June 2022 the Commissioner set out
a revised approach to public sector enforcement. 149 Having considered
that revised approach, the Commissioner considers that it is appropriate
to reduce the amount of the penalty from £5.6 million to £750,000.
149Open letter from UK Information Commissioner John Edwards to public
authorities, 30 June 2022. The revised approach (which was trialled for a two-year
period ending in June 2024) is currently under review. The revised approach
continues to be applied pending the outcome of that review: ICO statement on its
public sector approach trial | ICO.
72FOR PUBLIC RELEASE
G. Conclusion - penalty
187. For the reasons set out above, the Commissioner decides to impose a
penalty on the PSNI of £750,000.
H. Financial hardship
188. Paragraph 151 of the Fining Guidance explains that “In exceptional
circumstances, the Commissioner may reduce a fine where an
organisation or individual is unable to pay because of their financial
position.”
189. The notice of intent (given to the PSNI on 20 May 2024) indicated that
the amount of the penalty the Commissioner proposed to impose was
£750,000. The PSNI made a claim of financial hardship in written
representations dated 14 June 2024.
190. As explained at paragraph 152 of the Fining Guidance, “The
Commissioner will only grant a reduction for financial hardship on the
basis of objective evidence that imposing the proposed fine would
irretrievably jeopardise an organisation’s economic viability… The
Commissioner will not base any reduction on the mere finding of an
adverse … financial situation.”
191. Whilst the Commissioner acknowledges the financial challenges faced by
the PSNI, the Commissioner is not convinced, on the basis of the
evidence put forward in the written representations, that the PSNI’s
economic viability would be irretrievably jeopardised as a result of a
penalty of £750,000.
192. Whilst the PSNI’s representations do not justify a reduction for financial
hardship, the Commissioner has considered those representations in
relation to the proportionality of the penalty amount as follows:
73FOR PUBLIC RELEASE
a) The PSNI’s final audited position for the year 2023/24 involves a
small resource underspend. This position assumes a penalty of
£610,000. 150 The PSNI initially submitted that a penalty of
£750,000 would result in the PSNI reporting a 2023/24 resource
overspend, “pushing PSNI into breaching spending limits” and
that this would “initiate a whole range of other unintended
consequences related to financial management, financial
151
reporting and Assembly accountability.” When probed by the
Commissioner, however, the PSNI stated that “If the fine
imposed is £750k, the £140k difference between the [£610,000]
accrual and the fine would be chargeable to the 2024-25
budget.” 152 The financial position for the year 2023/24 would
therefore remain unchanged.
b) The PSNI submitted that a penalty of £750,000 would frustrate
efforts to allocate additional resources to the improvement of
information management within the force. The representations
did not include specific proposals as to how funds arising from a
penalty reduction would be allocated. In applying the revised
approach to public sector enforcement to reduce the penalty
amount, the Commissioner has already taken impacts of this
nature into account. In any event, the Commissioner must
ensure that a penalty is not only proportionate but also a
deterrent and an effective sanction for the infringements.
193. The Commissioner has therefore not reduced the penalty amount from
£750,000 (the amount indicated in the notice of intent).
150PSNI letter to Commissioner, 12 July 2024, p. 1.
151PSNI written representations, 14 June 2024, p. 3-4.
152PSNI letter to Commissioner, 12 July 2024, p. 2.
74 FOR PUBLIC RELEASE
VII. PAYMENT OF THE PENALTY
194. The penalty must be paid to the Commissioner’s office by BACS transfer
or cheque by 25 October 2024.
195. Under paragraph 9(4) of Schedule 16 to the DPA, in Northern Ireland, a
penalty is recoverable—
a) if a county court so orders, as if it were payable under an order of
that court;
b) if the High Court so orders, as if it were payable under an order of
that court.
196. Under paragraph 9(1) of Schedule 16 to the DPA, the Commissioner
must not take action to recover a penalty unless—
a) the period for payment specified in this Penalty Notice (by 25 October
2024) has ended,
b) any appeals against this Penalty Notice have been decided or
otherwise ended,
c) if this Penalty Notice is varied, any appeals against the penalty
variation notice have been decided or otherwise ended, and
d) the period for the PSNI to appeal against the penalty, and any
variation of it, has ended.
VIII. RIGHTS OF APPEAL
197. By virtue of section 162 DPA, the PSNI may appeal to the First-tier
Tribunal (General Regulatory Chamber) (Information Rights) against this
Penalty Notice. The PSNI may appeal to the Tribunal against the amount
of the penalty, whether or not the PSNI appeals against the Penalty
Notice.
75FOR PUBLIC RELEASE
198. Information about the appeals process is set out in the Annex. Any notice
of appeal should be sent or delivered to the Tribunal so that it is received
within 28 days of the date of this Penalty Notice.
Dated: 26 September 2024
Stephen Bonner
Deputy Commissioner, Regulatory Supervision
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
76
