ICO (UK) - Police Service of Northern Ireland
ICO - Police Service of Northern Ireland | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 32 UK GDPR Article 5(1)(f) UK GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 08.08.2024 |
Decided: | 26.09.2024 |
Published: | 03.10.2024 |
Fine: | 75,000 GBP |
Parties: | Police Service of Northern Ireland (PSNI) |
National Case Number/Name: | Police Service of Northern Ireland |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | ao |
A DPA issued the Chief Constable of the Police Service of Northern Ireland with a £75,000 fine concerning the upload of a database including personal data on 9,483 police officers and staff to a public website.
English Summary
Facts
The Police Service of Northern Ireland (PSNI, the controller) managed an extensive database containing personal data on police officers and staff of the PSNI. The workforce data included (for all officers and staff who were in post, suspended or on a career break): surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number.
The PSNI regularly responds to freedom of information requests and draws from this database in order to fulfil these requests. Processing of personal data of PSNI officers and staff took place whenever workforce data downloaded from the PSNI human resources management system was analysed in Excel to prepare information to be disclosed in response to freedom of information requests.
On 8 August 2024, an unauthorised disclosure of the personal data of all PSNI police officers and staff, occurred when a spreadsheet released in response to a freedom of information request was published on the website called “whatdotheyknow.com”. The excel database consisted of several sheets and one contained an unmarked tab used to generate the personal data on PSNI staff. This tab was not deleted before uploading the excel sheet to the website.
Holding
The ICO determined that between 25 May 2018 (the date of commencement of the application of the GDPR) and 14 June 2024 the PSNI infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR. The ICO explains that the breach could have materialised at any point during this lengthy period. The processing of the personal data was not carried out in a manner that ensured appropriate security of the data through using appropriate technical and organizational measures such as training for administrative staff.
The ICO states that the PSNI ought to have known that spreadsheet files are prone to hidden data (and therefore human error) and that the training provided to employees to prevent this, was insufficient.
The prolonged duration and the severity of the data breached was taken into account by the ICO when setting the penalty. The ICO initially set it at £5,600,000 but revised this number as the controller is a public sector enforcement body. The ICO issued a penalty notice to the Chief Constable of the Police Service to pay the Commissioner £750,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FOR PUBLIC RELEASE PENALTY NOTICE POLICESERVICE OFN ORTHERN IRELAND 26 September 2024FOR PUBLIC RELEASE Table of Contents I. INTRODUCTION AND SUMMARY...................................................4 II. RELEVANT LEGAL FRAMEWORK....................................................8 III. BACKGROUND TO THE INFRINGEMENTS....................................9 A. The personal data breach reported by the PSNI ..................................9 B. The PSNI’s relevant procedures, policies and guidance....................... 20 IV. THE COMMISSIONER’S FINDINGS OF INFRINGEMENT.............27 A. Controllership and jurisdiction ........................................................ 27 B. Nature of the personal data and context of the Relevant Processing .... 28 C. The infringements ......................................................................... 32 V. DECISION TO IMPOSE A PENALTY..............................................43 A. Legal framework – penalties........................................................... 43 B. The Commissioner’s decision on whether to impose a penalty............. 44 Seriousness of the infringements: Article 83(2)(a) the nature, gravity and duration of the infringements ................................................... 45 Seriousness of the infringements: Article 83(2)(b) the intentional or negligent character of the infringements .......................................... 53 Seriousness of the infringements: Article 83(2)(g) categories of personal data affected ................................................................................ 58 Conclusion on seriousness of infringements...................................... 59 Relevant aggravating or mitigating factors: Article 83(2)(c) any action taken by the controller or processor to mitigate the damage suffered by the data subjects .......................................................................... 60 Relevant aggravating or mitigating factors: Article 83(2)(d) the degree of responsibility of the controller or processor ...................................... 62 Relevant aggravating or mitigating factors: Article 83(2)(e) any relevant previous infringements by the controller or processor ........................ 63 Relevant aggravating or mitigating factors: Article 83(2)(f) the degree of cooperation with the Commissioner ................................................. 63 Relevant aggravating or mitigating factors: Article 83(2)(h) the manner in which the infringements became known to the Commissioner ......... 64 Relevant aggravating or mitigating factors: Article 83(2)(i) measures previously ordered against the controller or processor ....................... 64 Relevant aggravating or mitigating factors: Article 83(2)(j) adherence to approved codes of conduct or certification mechanisms...................... 65 Relevant aggravating or mitigating factors: Article 83(2)(k) any other applicable aggravating or mitigating factors...................................... 65 2FOR PUBLIC RELEASE Conclusion on relevant aggravating and mitigating factors ................. 65 Effectiveness, proportionality and dissuasiveness .............................. 66 C. Conclusion on decision on whether to impose a penalty ..................... 66 VI. CALCULATION OF PENALTY .....................................................67 A. Step 1: Assessment of the seriousness of the infringement................ 68 B. Step 2: Accounting for turnover...................................................... 69 C. Step 3: Calculation of the starting point........................................... 71 D. Step 4: Adjustment to take into account any aggravating or mitigating factors............................................................................................... 71 E. Step 5: Adjustment to ensure the fine is effective, proportionate and dissuasive.......................................................................................... 72 F. The Commissioner’s revised approach to public sector enforcement..... 72 G. Conclusion - penalty ..................................................................... 73 H. Financial hardship......................................................................... 73 VII. PAYMENT OF THE PENALTY .....................................................75 VIII. RIGHTS OF APPEAL .................................................................75 3FOR PUBLIC RELEASE DATA PROTECTION ACT 2018 ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER PENALTY NOTICE To: The Chief Constable of the Police Service of Northern Ireland Of: PSNI Headquarters 65 Knock Road Belfast BT5 6LE I. INTRODUCTION AND SUMMARY 1. Pursuant to section 155(1) of the Data Protection Act 2018 (“DPA”), the Information Commissioner (the “Commissioner”), by this written notice (“Penalty Notice”), requires the Chief Constable of the Police Service of Northern Ireland (the “PSNI”) to pay the Commissioner £750,000. 2. This Penalty Notice is given in respect of infringements of the UK General 1 Data Protection Regulation (“UK GDPR”). This Penalty Notice contains the reasons why the Commissioner has decided to impose a penalty, 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. For the period 25 May 2018 to 31 December 2020, references in this Penalty Notice to the UK GDPR should be read as references to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) as it applied in the UK during that period. 4FOR PUBLIC RELEASE including the circumstances of the infringements and the nature of the personal data involved. 3. In accordance with paragraph 2 of Schedule 16 to the DPA, the Commissioner gave a notice of intent to the PSNI on 20 May 2024, setting out the reasons why the Commissioner proposed to give the PSNI a penalty notice. In that notice of intent, the Commissioner indicated that the amount of the penalty he proposed to impose was £750,000. 4. On 14 June 2024, the PSNI made written representations about the Commissioner’s intention to give a penalty notice. On 5 July 2024 the Commissioner sought clarification on the written representations, which the PSNI provided on 12 July 2024. This Penalty Notice takes into account the written representations from the PSNI and, where appropriate, makes specific reference to them. 5. The Commissioner finds that between 25 May 2018 and 14 June 2024 3 the PSNI infringed Articles 5(1)(f), 32(1) and (2) UK GDPR for the reasons set out in this Penalty Notice. In summary: a) The infringements relate to the processing of personal data of PSNI officers and staff that took place whenever workforce data 4 downloaded from the PSNI human resources management system was analysed in Excel by PSNI staff to prepare information to be disclosed in response to freedom of information requests (the “Relevant Processing”). 2The date of commencement of the DPA and application of the GDPR. 3The date on which the Commissioner finds the PSNI implemented appropriate security measures (see paragraphs 90 to 93 below). 4 Specifically, the data file called “Combined 3C & Perlist”, which includes (for all officers and staff who are in post, suspended or on a career break at the time of download) the following categories of personal data: surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. 5FOR PUBLIC RELEASE b) The infringements of Article 5(1)(f) and Article 32 UK GDPR occurred because the Relevant Processing was not carried out in 5 a manner that ensured appropriate security of the personal data of PSNI officers and staff, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 UK GDPR. 6. As a consequence of the PSNI not having appropriate security measures in place as required by Article 5(1)(f) and Article 32 UK GDPR, the personal data of 9,483 police officers and staff was disclosed to a public- facing website on 8 August 2023 (the “8 August Incident”). 7. The 8 August Incident involved the unauthorised disclosure 6 of the personal data of all PSNI police officers and staff, when a spreadsheet released in response to a freedom of information (“FOI”) request was published on the website https://www.whatdotheyknow.com/. 8. On 10 August 2023, the PSNI described the 8 August Incident as an 7 “unprecedented and industrial scale data breach”. On 14 August 2023, the PSNI made the following statement: “We are now confident that the workforce data set is in the hands of Dissident Republicans. It is now a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff.” 9. On 22 August 2023, the PSNI and the Northern Ireland Policing Board commissioned an independent review into the circumstances surrounding the 8 August Incident. The final report of that independent 5Specifically, protection against unauthorised disclosure. 6Article 4(12) UK GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, 7r access to, personal data transmitted, stored or otherwise processed. Statement from the Chief Constable on the data breach investigation | PSNI, 10 August 2023 (accessed 26 September 2024). 8Update from the Chief Constable on the data breach investigation | PSNI, 14 August 2023 (accessed 26 September 2024). 6FOR PUBLIC RELEASE review described the 8 August Incident as “the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff, and communities.”9 10. The Commissioner received complaints from data subjects (PSNI officers and staff) describing the damage they suffered as a consequence of the 8 August Incident. The damage and distress described in the complaints is often severe and includes concerns about personal safety and the safety of family members, changes required to home security measures and the need to relocate. 11. In deciding to give this Penalty Notice, the Commissioner has had regard to the matters listed in Articles 83(1) and (2) UK GDPR. The Commissioner considers the imposition of a penalty is an effective, proportionate and dissuasive measure. The Commissioner has had regard to the revised approach to public sector enforcement 10 and is satisfied that this case is sufficiently egregious to warrant the imposition of a penalty. 12. Having had regard to the matters listed in Articles 83(1) and (2) UK 11 GDPR, and in accordance with his Data Protection Fining Guidance, the Commissioner determined the amount of the penalty as £5,600,000. The Commissioner has however had regard to the revised approach to public sector enforcement and has reduced the penalty amount to £750,000. 9PSNI Independent review final report, 11 December 2023, p. 2-3. 10 Open letter from UK Information Commissioner John Edwards to public authorities, 30 June 2022. The revised approach (which was trialled for a two-year period ending in June 2024) is currently under review. The revised approach continues to be applied pending the outcome of that review: ICO statement on its public sector approach trial | ICO. 11Data Protection Fining Guidance | ICO, 18 March 2024. 7FOR PUBLIC RELEASE II. RELEVANT LEGAL FRAMEWORK 13. Section 155 DPA provides that, if the Commissioner is satisfied that a person has failed, or is failing, as described in section 149(2) DPA, the Commissioner may, by written notice, require the person to pay to the Commissioner an amount in sterling specified in the notice. 14. The types of failure described in section 149(2) DPA include, at section 149(2)(a), “where a controller or processor has failed, or is failing, to comply with … a provision of Chapter II of the UK GDPR … (principles of processing)” and at section 149(2)(c), “where a controller or processor has failed, or is failing, to comply with … a provision of Articles 25 to 39 of the UK GDPR … (obligations of controllers and processors).” 15. Chapter II of the UK GDPR sets out the principles relating to the processing of personal data that controllers must comply with. Article 5(1) UK GDPR lists these principles and at point (f) includes the requirement that “personal data shall be … processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised … processing … using appropriate technical or organisational measures”. This is referred to in the UK GDPR as the “integrity and confidentiality” principle. 16. Article 32 UK GDPR (security of processing) materially provides: “(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk… 8 FOR PUBLIC RELEASE (2) In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from … unauthorised disclosure of … personal data transmitted, stored or otherwise processed.” 17. The legal framework for penalties is set out at Section V(A) below. III. BACKGROUND TO THE INFRINGEMENTS 18. This section summarises the relevant background to the findings of infringement. It does not seek to provide an exhaustive account of all the details of the events that have led to the issue of this Penalty Notice. A. The personal data breach reported by the PSNI 19. The PSNI is the police service responsible for law enforcement within Northern Ireland. The PSNI is “the only routinely armed service in the United Kingdom with the unique additional challenge of policing in the context of a ‘substantial’ terrorist threat”. 20. On 8 August 2023 at 17:10, the PSNI contacted the Commissioner’s office (the “ICO”) by phone to make the ICO aware of a personal data breach. At 20:20 on the same day, the PSNI submitted an online form to the Commissioner, formally reporting the personal data breach which 13 had taken place at 14:31 that day. The PSNI reported that at approximately 16:10, the PSNI’s Operational Support Department 12A History of Policing in Ireland | PSNI (accessed 26 September 2024). At the time of the 8 August Incident, the national security threat level was “severe” (a level higher than “substantial”). Further information about the context in which the PSNI operates has been set out at Section IV(B) below. 13 PSNI Initial breach report, 08 August 2023, p. 1. 9FOR PUBLIC RELEASE became aware that information which had been used to generate a response to an FOI request had been “provided by PSNI’s HR department in an unmarked tab on the Excel spreadsheet released as part of the FOI response. Whilst the FOI response had high level information being released in full under the FOIA, the unmarked tab used to generate the information was not deleted from the spreadsheet. It contained the names (surname and initial), ranks, contract types, cost codes regarding post funding for all PSNI officers and staff. The incident is now being investigated by PSNI under a Gold command structure”. 21. The timeline of events leading up to the 8 August Incident was as follows:4 3 August 2023 a) On 3 August 2023 the PSNI received an FOI request via the WhatDoTheyKnow website asking for “the number of officers at each rank and number of staff at each grade in tables as of 01/08/2023”. b) Six minutes later, the PSNI received another request (from the same person) via the WhatDoTheyKnow website: “Could you please provide the number of officers and staff at each rank or grade distinguishing between how many are substantive/temporary/acting as of 01/08/2023. Could you please provide this information in the form of tables for officers and tables for staff.” 14 The PSNI and the Northern Ireland Policing Board jointly commissioned an independent review into the 8 August Incident. The independent review was led by Pete O'Doherty, Temporary Commissioner for the City of London Police and National Police Chief’s Council Lead for Information Assurance and Cyber Security. The independent review’s final report (titled “Protecting From Within”) was published on 11 December 2023. The timeline of the 8 August Incident is set out in that final report at p. 15. 10FOR PUBLIC RELEASE c) The Corporate Information Branch (“CIB”) is the department within the PSNI responsible for handling FOI requests received by the PSNI. A member of staff in the CIB sent an acknowledgement to the requester. The acknowledgement explained that the requester’s “…requests on this subject [Officers and Staff by Rank and Grade] have been aggregated…”. Effectively, the PSNI would respond to the second request. 4 August 2023 d) The (second) FOI request was assigned to an FOI Decision Maker within CIB. FOI Decision Makers are the staff within CIB with day- to-day responsibility for handling FOI requests. They co-ordinate the identification and preparation of requested information and make decisions regarding the application of FOI exemptions. 15 For each FOI request, FOI Decision Makers are required to (contemporaneously) complete an FOI Audit Log. The FOI Audit Log is a checklist which sets out the various stages of handling an FOI request and the checks required at each stage. e) The assigned FOI Decision Maker identified Human Resources (specifically, the Workforce Planning Team) as the business area within the PSNI which held information relevant to the FOI request. The FOI Decision Maker asked the Workforce Planning Team to provide that information by sending the Workforce 15The PSNI’s FOI Service Instruction (updated October 2019) describes their role as follows: “The Decision-Maker will be the first port of call for FOI enquiries. This involves obtaining all relevant information and compiling responses to requests and appeals, through liaising with business areas.” (FOI Service Instruction, 2 October 2019, p. 16). 11FOR PUBLIC RELEASE Planning Team the wording of the FOI request along with a case 16 tracker form. 7 August 2023 f) A member of the Workforce Planning Team prepared the information requested using workforce data. Specifically, they used a file of data downloaded from the PSNI’s human resources management system (referred to internally as “SAP”). This data 17 file, referred to as “Combined 3C & Perlist”, was an Excel file (workbook) containing a single worksheet titled “SAP DOWNLOAD”. The workforce data included (for all officers and staff who were in post, suspended or on a career break at the time of download) the following categories of personal data: surnames and first name initials,job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. The workforce data was analysed to prepare information relevant to the FOI request. Multiple other worksheets were created within the Excel file as part of this analysis, with one worksheet containing the final information prepared for FOI disclosure (the “Return worksheet”). g) The member of the Workforce Planning Team then deleted all the tabs visible on their screen from the Excel file, other than the tab for the Return worksheet. 18They did not know that the three 16 Case tracker forms “seek views from the business areas on the application of any relevant harm in releasing information into the public domain as well as the application of any cost considerations” (PSNI Second enquiries response letter, 22 September 2023, p. 5). 17PSNI Further enquiries response letter, 22 March 2024, p. 2-3. 18 Worksheets are typically displayed as tabs at the bottom of an Excel file (a workbook). A workbook can contain hundreds of worksheets, but the number of tabs that are displayed at any given time is limited (how many tabs are displayed can also be affected by the length of the horizontal scrollbar at the bottom of the workbook). When there are more worksheets than there are visible tabs, three 12FOR PUBLIC RELEASE horizontal dots to the left of the remaining visible tab (the tab for the Return worksheet) indicated that the Excel file continued to contain the “SAP DOWNLOAD” worksheet which contained the workforce data (as originally downloaded from the human resources management system, SAP). 8 August 2023: h) The Excel file was then sent to the Head of Workforce Planning for quality assurance, who opened the Excel file and inspected the (only) visible tab (the tab for the Return worksheet). They checked that the information contained in the Return worksheet was accurate and relevant to the FOI request. 19 The Head of Workforce Planning did not notice the three horizontal dots or was unaware of what they represented. 20 Following this quality assurance, the Excel file was sent at 10:09 to the FOI Decision 21 Maker in CIB. i) Using Microsoft Word, the FOI Decision Maker then drafted a letter responding to the FOI request. The FOI Decision Maker attempted to copy the prepared information across (from the Return worksheet of the Excel file to the Word document) but, on this occasion, they were unable to do so. They therefore decided to disclose the Excel file as a separate file accompanying their response letter. The FOI Decision Maker also did not notice the three horizontal dots or was unaware of what they horizontal dots appear to the left of the visible tabs (and another set of three horizontal dots can appear to the right). These dots indicate that there are more worksheets than there are visible tabs. Deleting visible tabs does not guarantee deletion of all worksheets in a workbook (unless a user attempts to delete all visible tabs). 19PSNI Fourth enquiries response letter, 13 December 2023, p. 2. 20PSNI Third enquiries response letter, 15 November 2023, p. 3. 21PSNI Fourth enquiries response letter, 13 December 2023, p. 2. 13FOR PUBLIC RELEASE represented. The FOI Decision Maker sent the response letter and accompanying Excel file to the PSNI’s Strategic 22 Communications and Engagement Department (“SCED"). SCED had asked to have sight of the prepared information prior to its disclosure to the FOI requester. The SCED staff who reviewed the Excel file (and approved its disclosure ) also did not notice the three horizontal dots or were unaware of what they represented. j) At 14:31 the FOI Decision Maker uploaded the response letter and accompanying Excel file to the WhatDoTheyKnow website. The Excel file contained the Return worksheet (as was intended) but also contained (unknown to the FOI Decision Maker) the “SAP DOWNLOAD” worksheet. k) Either by clicking on the three horizontal dots to the left of the visible tab or by using the arrows to the left of those three horizontal dots, the “SAP DOWNLOAD” worksheet would become visible as a tab, which, once clicked, would make the “SAP DOWNLOAD” worksheet visible on screen. l) The PSNI became aware of the presence of the “SAP DOWNLOAD” worksheet in the uploaded Excel file at approximately 16:10, when officers alerted the PSNI’s Operational Support Department Staff Office. 24 The PSNI contacted the WhatDoTheyKnow website administrators at 16:47 to request removal of the Excel file. The WhatDoTheyKnow website administrators responded at 16:51 to confirm that the 22PSNI Second enquiries response letter, 22 September 2023, p. 4. 23PSNI Initial enquiries response letter, 29 August 2023, p. 4. 24 PSNI Initial enquiries response letter, 29 August 2023, p. 2. 14FOR PUBLIC RELEASE Excel file had been hidden from external view, and at 17:27 confirmed that the Excel file had been deleted from the website. m) The “SAP DOWNLOAD” worksheet was accessible to the public via the WhatDoTheyKnow website for approximately 2 hours and 20 minutes (between the hours of 14:31 and 16:51). 22. At 17:10 on the same day, the PSNI’s Head of Corporate Information informed the ICO of the incident by telephone. At 20:20, they submitted a data breach report online. 25 The report confirmed that the PSNI considered the 8 August Incident met the threshold for notifying a personal data breach to the Commissioner under Article 33 UK GDPR. 23. The 8 August Incident was communicated to the data subjects whose personal data had been disclosed (all PSNI officers and staff) on the same day at 17:07 by email. 26 24. Upon becoming aware of the 8 August Incident the PSNI launched ”Operation Sanukite”. The Gold Commander 27of this operation was Assistant Chief Constable Todd, who is also the PSNI’s Senior Information Risk Owner (“SIRO”). The strategy for Operation Sanukite was first drawn up on 10 August 2023, and set 15 objectives, the first two of which were “1) To prioritise the protection of officers and staff. 2) To contain the data leak as much as possible to prevent further consequences.” In describing the 8 August Incident, the strategy noted that “The implications for the police service in terms of reputation etc. are immense.” 28 25PSNI Initial breach report, 8 August 2023. 26Internal meeting notes from PSNI visit on 18 October 2023, p. 1. 27A GSB (gold silver bronze) structure is a command hierarchy that is often applied to police operations. The Gold Commander has overall strategic command of an operation. See Command structures | College of Policing (accessed 26 September 2024) 28PSNI Gold Strategy - Op Sanukite, 10 August 2023 p. 3. 15FOR PUBLIC RELEASE 25. On 14 August 2023 the PSNI provided a public update on Operation Sanukite, which included the following statement: “We are now confident that the workforce data set is in the hands of Dissident Republicans. It is now a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff. I won’t go into detail for operational reasons but we are working round the clock to assess the risk and take measures to mitigate it." 29 26. The PSNI provided an in-person briefing on Operation Sanukite to the 30 Commissioner’s investigation team on 18 October 2023. The PSNI explained that as part of Operation Sanukite, the PSNI was taking steps to change officer and staff identification numbers and to reduce their use. The Commissioner understands these steps were aimed at reducing the identifiability of PSNI officers and staff. They included: a) Ensuring service numbers and staff numbers do not appear on payslips. Service numbers are identification numbers which are not public-facing, and which are issued to all officers. They are equivalent to “warrant numbers” or “police numbers”. Staff numbers are identification numbers issued to police staff. Both service numbers and staff numbers were included in the workforce data that was disclosed as part of the 8 August Incident. b) Seeking legislative changes so that officers could be identified on search records, warrants and other legal documents other than 31 by means of their service numbers. 29 Update from the Chief Constable on the data breach investigation | PSNI, 14 August 2023 (accessed 26 September 2024). 30Internal meeting notes from PSNI visit on 18 October 2023. 31PSNI Op Sanukite Update, 18 October 2023 and Internal meeting notes from PSNI visit on 18 October 2023. 16FOR PUBLIC RELEASE c) Changing the shoulder numbers of all officers. A shoulder number is an identification number (different to a service number) worn on epaulettes by uniformed officers at certain ranks. They were not included in the workforce data which was disclosed as part of the 8 August Incident. 27. Other steps the PSNI has taken to mitigate the impact of the 8 August Incident on the affected data subjects include :2 a) Setting up an Emergency Threat Management Group (“ETMG”). PSNI staff and officers were able to refer themselves to the ETMG to raise their concerns at a one-to-one meeting with a senior manager. Appropriate risk mitigations (such as financial support 33 34 for security enhancements to homes or relocation ) would be discussed at these meetings. Due to the high volume of referrals, the ETMG first categorised referrals using a RAG rating. Those referrals which the ETMG categorised as “red” were prioritised. The factors taken into account in this assessment included: the area where the individual lived and their relevant community background; whether the individual had an uncommon name; whether the individual had received previous threats; whether the individual had a personal protection weapon; whether the individual worked in a high-risk area such as source handling or terrorism investigations; and any other specific factors raised in the referral. The ETMG was set up to operate seven days a week, 7am to 7pm, with out of hours availability. b) Senior officers visiting and engaging with their officers and staff to offer support and reassurance. 32PSNI Initial enquiries response letter, 29 August 2023, p. 11. 33PSNI Op Sanukite Update, 18 October 2023, p. 1. 34Internal meeting notes from PSNI visit on 18 October 2023, p. 2. 17FOR PUBLIC RELEASE c) Regularly communicating updates relating to the 8 August Incident to officers and staff. d) Enabling officers and staff to access a copy of their personal data that had been disclosed as part of the 8 August Incident. 35 e) Providing additional guidance to line managers around the range of welfare and wellbeing support available to officers and staff, as well as guidance on holding crisis management briefings with teams. f) Setting up FAQ pages on the PSNI intranet to assist officers and staff, such as by providing guidance on how to remove entries from the open electoral register and on how to remove personal information from the Companies House register. The PSNI has agreed to reimburse officers and staff for the costs of removing 36 information from the Companies House register. g) Offering financial support to officers and staff who have been directly linked to a terrorist investigation to support security 37 enhancements to their home. 28. Policies and guidance (relevant to the security of the Relevant Processing) which the PSNI introduced following the 8 August Incident are described at paragraphs 45 to 47 below. 35PSNI Initial enquiries response letter, 29 August 2023, p. 4. 36Internal meeting notes from PSNI visit on 18 October 2023, p. 4. 37PSNI Op Sanukite Update, 18 October 2023, p. 1. 18FOR PUBLIC RELEASE 29. On 4 September 2023, the Secretary of State for Northern Ireland made a statement on the 8 August Incident in the House of Commons. 38The Secretary of State noted that “This data breach is deeply concerning and significant. Recent events in Northern Ireland, including the terrible attack on Detective Chief Inspector John Caldwell, show there are still a small minority in Northern Ireland who wish to cause harm to PSNI Officers and staff in Northern Ireland. ... there is significant concern about the consequences of this data breach. Many PSNI officers and staff have raised concerns about themselves and their family … In response to these concerns, the PSNI and wider security partners are taking appropriate action and are working around the clock to investigate the incident, provide reassurance and mitigate any risk to the safety and security of officers and staff. As of 30 August 3,954 self referrals have been made to the PSNI’s Emergency Threat Management Group. This is part of the welfare and support services which have been made available to PSNI officers.” 30. The UK Parliament’s Northern Ireland Affairs Committee launched a probe into the 8 August Incident, 39taking oral evidence in September and December 2023. 40 Evidence was taken from the PSNI, bodies representing officers and staff, and the Northern Ireland Policing Board 41 (“NIPB”). 31. The PSNI and the NIPB jointly commissioned an independent review into the 8 August Incident. The independent review was led by Pete O'Doherty, Temporary Commissioner for the City of London Police and 38Secretary of State's speech - PSNI data breach - GOV.UK (www.gov.uk), 4 September 2023 (accessed 26 September 2024). 39 40Other personal data breaches were also within the scope of the probe. PSNI data breaches - Committees - UK Parliament (accessed 26 September 2024). 41The NIPB is an independent public body with a range of statutory functions, including oversight of the PSNI. 19FOR PUBLIC RELEASE National Police Chief’s Council (“NPCC”) Lead for Information Assurance and Cyber Security. The independent review’s final report (titled “Protecting from Within”) was published on 11 December 2023. The report referred to the 8 August Incident as “the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff, and communities.” B. The PSNI’s relevant procedures, policies and guidance Organisational measures in place prior to the 8 August Incident 32. During his investigation, the Commissioner asked for information about the PSNI’s procedure for handling FOI requests. The PSNI initially responded by referring to the FOI Service Instruction.42 33. The PSNI’s FOI Service Instruction purports to be a document which “clearly defines the responsibilities placed on the Police Service of Northern Ireland to ensure compliance with the Freedom of Information 43 Act 2000 and the Environmental Regulations 2004”. It was first issued on 17 May 2018. It was updated in October 2019 and again in July 44 2023. 34. During the investigation, the PSNI explained that the FOI Service Instruction contained only a high-level description of how FOI requests 42PSNI Initial enquiries response letter, 29 August 2023, p. 4. 43PSNI FOI Service Instruction, 2 October 2019, p. 1. 44PSNI Fourth enquiries response letter, 13 December 2023, p. 4. 20FOR PUBLIC RELEASE were handled; 45the PSNI went on to provide more detailed explanations of the procedure. 35. On the basis of those explanations, the Commissioner finds that in 46 practice, the procedure (as it related to the Relevant Processing ) consisted of the following key steps: a) Each FOI request is assigned to an FOI Decision Maker from CIB, whose responsibilities include completing an FOI Audit Log (a checklist which sets out the stages of handling an FOI request and the checks required at each stage). b) The assigned FOI Decision Maker identifies the relevant team (in this case, the Workforce Planning Team) as the business area within the PSNI which holds information relevant to the FOI request. The FOI Decision Maker asks the Workforce Planning Team to provide that information. 47 c) A member of the Workforce Planning Team uses workforce data to prepare the information requested. Specifically, they use a file of data downloaded from the PSNI’s human resources management system (SAP). This data file, referred to as 48 “Combined 3C & Perlist”, is an Excel file (workbook) containing a single worksheet titled “SAP DOWNLOAD”. The workforce data 45 PSNI Second enquiries response letter, 22 September 2023, p. 5. The July 2023 version was not, however, in effect at the time of the 8 August Incident. 46That is, the procedure for handling those FOI requests which required analysis of workforce data downloaded from SAP. 47Specifically, the FOI Decision Maker sends the Workforce Planning Team the wording of the FOI request along with a case tracker form. Case tracker forms “seek views from the business areas on the application of any relevant harm in releasing information into the public domain as well as the application of any cost considerations” (PSNI Second enquiries response letter, 22 September 2023, p. 5). 48PSNI Further enquiries response letter, 22 March 2024, p. 2-3. 21FOR PUBLIC RELEASE within the Excel file is analysed to prepare information relevant to the FOI request. 49 Multiple other worksheets are created within the Excel file as part of this analysis, with one worksheet (a Return worksheet) containing the information prepared for FOI disclosure. This prepared information usually takes the form of a table (and can sometimes be an Excel Pivot Table). All other worksheets (containing the workforce data as downloaded and any other data workings) are deleted from the Excel file, which is then saved as a “return copy” file. The return copy Excel file ought to contain only the Return worksheet. 50 d) The Head of Workforce Planning (as the relevant Operational Lead) quality assures the return copy Excel file, 51which involves checking the information prepared is accurate and relevant to the FOI request. 52 It is then sent to the FOI Decision Maker in CIB. e) The FOI Decision Maker 53 reviews the return copy Excel file and drafts an FOI response letter. The return copy Excel file may be disclosed to the FOI requester as a separate attachment to the FOI response letter; alternatively, the prepared information contained in the return copy Excel file may be incorporated into the FOI response letter itself. The FOI Decision Maker applies redactions as appropriate. 49The analysis of this personal data in Excel is the Relevant Processing with respect to which this Penalty Notice is given. 50PSNI Fourth enquiries response letter, 13 December 2023, p. 2. 51 52PSNI Third enquiries response letter, 15 November 2023, p. 4. PSNI Fourth enquiries response letter, 13 December 2023, p. 2. 53Also referred to as “Corporate Information Decision-Makers” in the FOI Service Instruction. 22FOR PUBLIC RELEASE f) The FOI Decision Maker may 54 discuss the draft FOI response letter with their line manager (a Corporate Information Team Leader) (“Team Leader”). If a discussion takes place, the Team Leader will assess whether quality assurance 55is required (for instance, if the request is sensitive 56or complex ). The types of issues which would typically be raised in these discussions would include the statutory exemptions that might apply, any harm that might arise in making the FOI disclosure and whether there had been any similar FOI requests. If quality assurance is considered necessary, the draft FOI response letter (along with any attachment) is sent to the Team Leader. Quality assurance by the Team Leader involves completion of the FOI Response Quality Assurance Checklist, which includes points such as “Are the relevant exemptions listed by number, subsection and title” and “If prejudice based exemptions is the harm correctly 58 explained” and “Format Correct / Spellchecked”. 54 The PSNI stated (PSNI Third enquiries response letter, 15 November 2023, p. 4) that “only FOI responses identified as requiring further QA are discussed at 1-1 meetings”. The PSNI subsequently stated (PSNI Fourth enquiries response letter, 13 December 2023, p. 3) that “while all responses should be discussed in general terms with a manager, these discussions may not take place at a 1-1 meeting”. The Commissioner is not convinced that the PSNI’s procedure required the FOI Decision Maker to discuss every proposed FOI response with a line manager (whether in general or specific terms, and whether at pre-scheduled weekly 1-1 meetings or outside such meetings). The Commissioner notes that in the specific instance of the 8 August Incident, the FOI Decision Maker did not discuss the proposed response with a line manager; despite this, the PSNI maintain that the FOI Decision maker involved in the 8 August Incident “followed the current process” (PSNI Fourth enquiries response letter, 13 December 2023, p. 3; Copy of the FOI Audit Log completed by FOI Decision Maker, p. 3; PSNI Third enquiries response letter, 15 November 2023, p. 2). 55PSNI Second enquiries response letter, 22 September 2023, p. 5. 56PSNI Third enquiries response letter, 15 November 2023, p. 4 and PSNI Second enquiries response letter, 22 September 2023, p. 6. 57PSNI Second enquiries response letter, 22 September 2023, p. 6. 58PSNI 2019 QA Log. 23FOR PUBLIC RELEASE g) Following any quality assurance by the Team Leader, the FOI decision maker discloses the FOI response letter (along with any 59 attachment) to the FOI requester. This may be done through the WhatDoTheyKnow website. 36. This procedure was followed by PSNI staff in connection with the 8 August Incident (see the timeline at paragraph 21 above). The PSNI informed the Commissioner that “staff members followed the current process but this did not prevent the additional data from being attached to the response … no misconduct proceedings against staff are being 60 initiated as a result.” 37. The Commissioner has considered whether the FOI Service Instruction, FOI Audit Log or FOI Response Quality Assurance Checklist contained any guidance that could have prevented incidents such as the 8 August Incident. In particular, the Commissioner considered whether these documents contained any guidance relating to Excel files and checks for hidden data. 38. Prior to the 8 August Incident, the PSNI’s FOI Service Instruction did not contain any guidance relating to the secure analysis of personal data in Excel (in particular, the importance of ensuring personal data was – if appropriate - removed from Excel files once analysis had been completed). The FOI Service Instruction did not contain any guidance relating to the format in which electronic files should be disclosed to an FOI requester. Whilst the FOI Service Instruction referred to checks and quality assurance, it provided no guidance as to what those checks and 59The PSNI’s Strategic Communications and Engagement Department may also review the proposed response prior to disclosure. 60 PSNI Third enquiries response letter, 15 November 2023, p. 2. 24FOR PUBLIC RELEASE assurance processes should entail. In particular, there was no guidance 61 to check FOI response letters and their attachments for hidden data. 39. The template FOIA Audit Log includes questions such as: “Have you double-checked the contact details of the requester to ensure they are accurate?” and “Has the requester expressed a format to receive the information?”. There is however no guidance relating to the appropriate format in which electronic files should be disclosed, and there is no question prompting the FOI decision maker to check FOI response letters and attachments for hidden data. The FOI Response Quality Assurance Checklist is similarly deficient. 40. The PSNI also confirmed that, prior to the 8 August Incident, there was no guidance or policy on the use of Excel, whether specific to the context of handling FOI requests or more generally. 62 41. The Commissioner also investigated whether PSNI staff and officers involved in handling FOI requests had received any training which might have prevented incidents such as the 8 August Incident. 42. The Commissioner reviewed the mandatory FOI training for all PSNI staff and officers (“all-staff FOI training”). Staff in the PSNI’s Workforce Planning Team, who would carry out the Relevant Processing, would 61 Once FOI Decision Makers have made any redactions to the prepared information, the July 2023 FOI Service Instruction states “Whilst all requests are discussed at a weekly 1-1, where relevant, requests will be sent to a team leader or other senior staff member if appropriate for quality assurance” (FOI Service Instruction, July 2023, p. 15). The October 2019 version on the other hand simply instructs FOI Decision Makers to “Send [the proposed response] to team leader for quality assurance” (FOI Service Instruction, 2 October 2019, p. 15). For the reasons given at footnote 54 above, the Commissioner does not consider that, in practice, a discussion with a Team Leader was a required step in the PSNI’s FOI handling procedure. 62PSNI Initial enquiries response letter, 29 August 2023, p. 5. 25FOR PUBLIC RELEASE receive this training. The Workforce Planning Team staff involved in the 8 August Incident had received this training. 63 43. The Commissioner also reviewed the “FOI/SAR Decision Maker” training which is mandatory for staff in the CIB (such as FOI Decision Makers and the Team Leader). The CIB staff involved in the 8 August Incident had received this training. 64 44. Prior to the 8 August Incident, neither the all-staff FOI training nor the “FOI/SAR Decision Maker” training raised awareness of the risk that FOI response letters and their attachments might contain hidden data. 65 There was no guidance relating to checks for hidden data or the format in which electronic files should be disclosed. Organisational measures introduced in August/September 2023 45. Once aware of the 8 August Incident, on the day of the personal data 66 breach, the PSNI’s SIRO decided that, going forward, FOI responses should be provided in PDF format only (Excel files were not to be 63PSNI Third enquiries response letter, 15 November 2023, p. 5. 64PSNI Third enquiries response letter, 15 November 2023, p. 5. 65The Commissioner notes that the “FOI/SAR Decision Maker” training contained the following paragraph: “Metadata: Metadata collected in electronic documents is also classed as being held for the purposes of FOI and if requested there is an expectation that this will be released to the requester. This metadata may contain the author, date, size; file paths, editing history, and formatting information of the document. In PSNI this is not normally provided and if requested we need to be mindful of the security of our staff (remove names) and our information.” This paragraph only refers to scenarios where metadata is specifically requested by an FOI requester. It does not require the metadata of electronic documents to be checked as a matter of course (i.e. in scenarios where the FOI requester has not specifically requested metadata). The paragraph therefore does not relate to a check for hidden data. 66The SIRO role is at Assistant Chief Constable (ACC) rank and provides “strategic decision making at a senior level responsible for promoting information governance and ensuring mitigation of information risks, including those linked to personal data” (Data Protection Service Instruction, 11 February 2019, p. 5). The SIRO was (and continues to be) ACC Todd, who is also the Gold Commander of Operation Sanukite (PSNI Gold Strategy - Op Sanukite, 10 August 2023, p. 8). 26FOR PUBLIC RELEASE attached), regardless of the format in which information had been requested. 67 This decision (the “PDF Policy”) was communicated as a “direction” to CIB staff on 9 August 2023. 68 46. By 29 August 2023 the PSNI had taken the decision “that all external products must be flattened by PDF unless authorised by the Gold 69 command structure in place.” 47. On 8 September 2023, the PSNI issued an “Interim Guidance on Sharing Data Securely” (the “Interim Guidance”). 70 The Interim Guidance applied to any instance of “sharing MS Excel data externally” (not just in the context of FOI responses) and it advised officers and staff on how to do so securely. In relation to FOI responses specifically, the Interim Guidance stated “Flattened PDF/CSV files only for responses to all public requests, FOI or otherwise.” The Interim Guidance went on to illustrate how an Excel file can be saved as a PDF or CSV file. It was provided to staff within the CIB.71 IV. THE COMMISSIONER’S FINDINGS OF INFRINGEMENT A. Controllership and jurisdiction 67 PSNI Initial breach report, 08 August 2023, p. 4. As the Commissioner explains at paragraph 88 below, this policy was contrary to the PSNI’s obligations under the Freedom of Information Act 2000. 68 PSNI Email to the ICO responding to an additional query, 25 March 2024. 69 PSNI Initial enquiries response letter, 29 August 2023, p. 5. The Commissioner understands this decision did not apply to FOI responses: the PDF Policy and the Interim Guidance indicate that FOI responses were not capable of such authorisation by the Gold command structure (i.e. FOI responses had to be flattened to PDF/CSV format, without exception). 70 PSNI Interim security guidance on safe data sharing, 8 September 2023. 71 PSNI Further enquiries response letter, 22 March 2024, p. 4. 27FOR PUBLIC RELEASE 72 48. The PSNI was the controller in respect of the Relevant Processing. The PSNI determined its purpose and means within the meaning of Article 4(7) UK GDPR. The PSNI’s Adult Privacy Notice confirms the PSNI is “obliged to process” personal data of “personnel including … police officers and police staff” pursuant to “legal obligations including enactments”, and that it is a controller in respect of such processing. 73 49. The UK GDPR applied to the Relevant Processing by virtue of Articles 2(1) and 3(1) UK GDPR. The Relevant Processing was structured processing of personal data, it took place in the context of the activities of a controller established in the UK, and none of the exceptions in Article 2 UK GDPR applied. 50. Part 2 of the DPA applied to the Relevant Processing by virtue of section 4 DPA. B. Nature of the personal data and context of the Relevant Processing 74 51. The workforce data involved in the Relevant Processing was personal data. It included a field for a (unique) service or staff number, which was an identifier (enabling the PSNI to directly distinguish one officer/staff member from another). The workforce data also contained two further fields: a data subject’s full surname and first name initials. Collectively, these two further fields are highly likely to have been an identifier from the PSNI’s perspective. 72The processing of personal data of PSNI officers and staff that took place whenever workforce data was analysed in Excel by PSNI staff to prepare information 73 response to freedom of information requests. Adult Privacy Notice | PSNI (accessed 26 September 2024). 74Specifically, the data file downloaded from the PSNI’s human resources management system called “Combined 3C & Perlist”. Whilst PSNI staff may have analysed other types of human resources data in Excel to prepare FOI responses, the Commissioner’s investigation has focused solely on “Combined 3C & Perlist”. 28FOR PUBLIC RELEASE 52. These identifiers (staff/service number; and the combination of surname 75 and initials) and the 28 other fields contained in the workforce data which were associated with these identifiers (fields such as job role, rank/grade, department, post location, contract type and gender) constituted personal data: they were information relating to identified natural persons. The workforce data did not contain personal addresses of data subjects. 53. The workforce data downloaded and analysed to prepare a response to an FOI request (both in connection with the 8 August Incident and otherwise) was therefore personal data within the meaning of Article 4(1) UK GDPR and section 3(2) DPA. The 8 August Incident involved the 76 unauthorised disclosure of this personal data. 54. To understand the sensitivity of this personal data, it is important to recognise the history and unique political and policing context within Northern Ireland. 55. Since the foundation of Northern Ireland in 1921, the region has experienced sectarian conflict and violence known as “the Troubles”. Throughout much of Northern Ireland there has been a long history of deep and seemingly irreconcilable divisions between nationalists (predominantly Roman Catholic) and unionists (generally Protestant). 56. It is however relevant to note that that whilst the Belfast Agreement (known as the Good Friday Agreement) was signed in 1998 and brought an end to the majority of the violence of the Troubles, there are dissident paramilitary groups who reject the political process and the institutions 75PSNI Anonymised copy of the spreadsheet disclosed as part of data breach contains 32 fields, but one of these is “not used”. There is therefore a total of 31 information fields. 76 PSNI Initial breach report, 8 August 2023. 29FOR PUBLIC RELEASE created by the Good Friday Agreement. It has been reported that these dissident groups seek to destabilise Northern Ireland through the tactical use of violence, targeting members of the PSNI and other security personnel as well as seeking to cause disruption and economic damage. 77 57. There remains a real risk to members of the PSNI 78and the shooting of a senior police officer in February 2023 was a reminder of the threat still faced by police officers in Northern Ireland. As a result of this shooting, in March 2023 MI5 raised the national security threat level for Northern Ireland from ”substantial” to ”severe”, meaning that the risk of a (Northern Ireland-related) terrorist attack was ”highly likely”. 79 58. In response to the 8 August Incident, Assistant Chief Constable Chris Todd recognised that the PSNI “is operating in an environment where there is a Severe threat of attack against our officers and staff from Northern Ireland Related Terrorism (NIRT). From the outset therefore a key planning assumption will be that a “reasonable worst case scenario” is that the data falls into the hands of those that would use it to cause harm to our officers, staff and their families”.80 59. The threat from dissident republicans is particularly acute in the case of PSNI officers/staff who are from a Catholic community background. 77Dissident republicans in Northern Ireland - what do they want? An explainer – The 78ish News, 10 September 2023 (accessed 26 September 2024) Dissident republicans: Why Northern Ireland police are still a target - BBC News, 14 August 2023 (accessed 26 September 2024). 79Northern Ireland-related Terrorism threat level raised - GOV.UK (www.gov.uk), 28 March 2023 (accessed 26 September 2024). The threat level was reduced to “substantial” on 6 March 2024: Statement from the Secretary of State on the Northern Ireland Security Update - GOV.UK (www.gov.uk) (accessed 26 September 2024). 80PSNI Gold Strategy - Op Sanukite, 10 August 2023. 30FOR PUBLIC RELEASE According to the latest PSNI workforce composition statistics, 33% of officers and 19% of staff are “perceived Roman Catholic”. 81 60. In light of this threat, in order to protect themselves and their friends and family, many PSNI officers and staff take steps to conceal their 82 occupation from the world at large. 61. The Commissioner notes that the extent to which PSNI officers and staff are able to conceal their occupation will vary according to specific role. PSNI officers in public-facing roles may only be able to conceal their occupation to a limited extent. PSNI staff who are in back-office roles may be more able to conceal their occupation. 62. The Commissioner also notes that some PSNI officers and staff choose not to conceal their occupation, despite their roles permitting them to do so. 63. Officers involved in covert roles, however, have no choice but to conceal their occupation. The workforce data which was subject to the Relevant Processing (and which was disclosed in the 8 August Incident) included the personal data of officers involved in covert roles (including their last name and first name initials). The Commissioner understands that although the workforce data did not explicitly label a given data subject as an officer involved in a covert role, strong inferences could be drawn to that effect (for instance, a data subject in the Crime Department’s 83 Intelligence Branch whose unit was marked “secret” was likely to be an officer involved in a covert role). 81Workforce Composition Statistics | PSNI, 1 September 2024 (accessed 26 82ptember 2024). PSNI data breach: 'Family fears for my safety as a police officer' - BBC News, 9 August 2023 (accessed 26 September 2024). 83Dissident republicans claiming to possess information from PSNI data breach, says Byrne – The Irish Times, 10 August 2023 (accessed 26 September 2024). 31FOR PUBLIC RELEASE 64. The PSNI has accepted the sensitivity of the workforce data. The PSNI explained in the data breach report that “there is a risk of identification of officers and staff including those in crime operational roles”. The PSNI acknowledged the “scale of this breach and the impacts to the safety of officers and staff”. The PSNI explained that “our criminal investigation has confirmed the information is now in the hands of Dissident Republican Terrorists in Northern Ireland and PSNI has made this fact 84 public”. C. The infringements 65. The fact that an unauthorised disclosure took place on 8 August 2023 (the 8 August Incident) is not, in and of itself, sufficient to find that the PSNI has infringed Articles 5(1)(f) and 32 UK GDPR. 85 The Commissioner has considered whether the facts set out at paragraphs 32 to 47 above (the PSNI’s relevant procedures, policies and guidance) constitute infringements of the UK GDPR. 66. In order to assess the PSNI’s compliance with Articles 5(1)(f) and 32 UK GDPR, the Commissioner must necessarily exercise his judgement, as regulator, as to what “appropriate” security and “appropriate” technical and organisational measures would be in the circumstances (that is, taking into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural 86 persons”). 84 85PSNI Initial enquiries response letter, 29 August 2023. See the CJEU’s recent judgment in VB v Natsionalna agentsia za prihodite (Case C-340/21) at paragraphs 22-39, which the Commissioner has had regard to. 86See the text of Articles 5(1)(f) and 32 UK GDPR reproduced at paragraphs 15 and 16 above. 32FOR PUBLIC RELEASE 67. For the reasons set out below, the Commissioner’s view is that the PSNI infringed Articles 5(1)(f), 32(1) and (2) UK GDPR. The infringements involved a failure by the PSNI to use appropriate technical and organisational measures to ensure appropriate security of the personal data subject to the Relevant Processing. Appropriate security of the personal data 68. In assessing the “appropriate security of the personal data” under Article 5(1)(f) UK GDPR (and, equivalently, the “level of security appropriate to the risk” under Article 32 UK GDPR), the Commissioner has considered 87 the risk to the rights and freedoms of PSNI officers and staff which the Relevant Processing presented, in particular from unauthorised disclosure. Recital 75 UK GDPR states that such risk “may result from personal data processing which could lead to physical, material or non- material damage”. 69. Unauthorised disclosure of the workforce data risked data subjects being identified as PSNI officers/staff by family and friends (to whom the data subject had not revealed their occupation). It also risked data subjects being physically identified by dissident republicans. 70. If dissident republicans physically identified a data subject as a PSNI officer/staff member, this carried a further risk that other individuals would be physically identified as family members or friends of that data subject. 71. The Commissioner recognises that the threat to PSNI officers and staff is not from dissident republicans alone; there is a threat from organised 87As well as of those officers and staff in post at the time, the workforce data contained the personal data of officers and staff who were suspended or on a career break (PSNI Initial enquiries response letter, 29 August 2023, p. 4). 33FOR PUBLIC RELEASE crime groups and also from other paramilitary groups in Northern Ireland. 72. The Commissioner considers all three categories of damage as identified in Recital 75 UK GDPR (physical, material and non-material) could flow from the risks identified at paragraphs 69 to 71 above. Psychological harm, severe injury and even death could flow from those risks. 73. Recital 75 provides specific examples of damage. Of those examples, the Commissioner considers the following could have arisen from the risks identified at paragraphs 69 to 71 above: a) loss of control over personal data (that is, a data subject losing control of information about their occupation); b) deprivation of rights and freedoms (right to life, right to respect for private and family life, peaceful enjoyment of property); c) discrimination; d) financial loss; e) damage to reputation. 74. Paragraph 113 below sets out the types of damage which materialised as a result of the 8 August Incident. 75. In ensuring a level of security appropriate to the risk, Article 32(1) UK GDPR requires a controller to take into account the likelihood and severity of the risk to the rights and freedoms of data subjects. 76. The severity of the risk is self-evident. 77. The following factors are relevant to the likelihood of the risk presented by the Relevant Processing: 34FOR PUBLIC RELEASE a) The PSNI regularly received FOI requests which would require a member of the Workforce Planning Team to carry out the Relevant Processing. The PSNI confirmed that it was “normal practice” for the Workforce Planning Team to use workforce data 88to “create a pivot table to display the required data”. 89 This regularity increased the likelihood that an unauthorised disclosure would occur. b) Electronic files often contain data which is ‘hidden’ (i.e. data which is not immediately visible on screen, but is elsewhere within the file - the most obvious example being an electronic file’s metadata). It is particularly easy for spreadsheet files (such as Excel files) to contain hidden data; they are therefore particularly prone to human error. The fact that Excel files can contain worksheets which are not automatically visible as tabs has been noted at footnote 18 (page 12 above). Other examples of how Excel files can contain hidden data include: the fact that it is possible to purposefully hide worksheets, rows and columns; and the fact that the underlying data used to generate a pivot 90 table can be embedded in the pivot table as hidden data. Further examples of how spreadsheet files (and other electronic files) can contain hidden data are set out in the ICO’s guidance, How to disclose information safely – Removing personal data from information requests and datasets. 91 88 Specifically, the data file called “Combined 3C & Perlist”, which includes (for all officers and staff who are in post, suspended or on a career break at the time of download) the following categories of personal data: surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. 89 PSNI Fourth enquiries response letter, 13 December 2023. 90This underlying data can be accessed simply by double-clicking the pivot table. 91How to disclose information safely (ico.org.uk), June 2018 (accessed via search engine 26 September 2024). 35FOR PUBLIC RELEASE c) The Relevant Processing involved the personal data of all (almost 10,000) PSNI officers and staff. This increased the likelihood of risk to rights and freedoms. d) Responses to FOI requests were usually publicly available (they were often published on the WhatDoTheyKnow website and the 92 PSNI website’s FOI disclosure log). e) The workforce data included information such as the data subject’s rank/grade (which would likely be correlated with their age) as well as their gender and their post location. This increased the likelihood of identification (described at paragraph 69 above). 78. The following factors are relevant to the likelihood of the risk to the rights and freedoms of particular groups of PSNI officers and staff from the Relevant Processing: a) The uniqueness of many Irish surnames (and the possibility of associating some such surnames with a Catholic community background). A data subject with such a surname would be more likely to be identified as described at paragraph 69 above. b) Similarly, the uniqueness (within Northern Ireland) of surnames of police officers and staff from ethnic minority backgrounds. A data subject with such a surname would be more likely to be identified as described at paragraph 69 above. 92For the avoidance of doubt, the Commissioner recognises that the use of online platforms to submit and receive responses to FOI requests can be efficient and help promote transparency and are within the scope of the legislation. The use of online platforms is however a relevant factor in considering the likelihood of risk in this case. 36FOR PUBLIC RELEASE c) As regards officers involved in covert roles: i. The likelihood of damage flowing from identification by family and friends was higher in the case of officers involved in covert roles, as their occupation was more likely to be concealed in the first place. ii. The likelihood of physical identification by paramilitary groups including dissident republicans was, on balance, higher in the case of officers involved in covert roles who engaged (in person) with paramilitaries as part of their role. This would be the case if, for instance, an identity in the workforce data could be (directly or indirectly) linked to an image of that individual. iii. The workforce data would enable paramilitaries to infer that a given data subject was an officer involved in covert 93 roles. Paramilitary groups including dissident republicans would likely concentrate their efforts on physically identifying such data subjects, thereby increasing the likelihood of such identification. 79. The factors above indicate that a high level of security was appropriate to the risk presented by the Relevant Processing. The PSNI was required to implement appropriate technical and organisational measures to ensure this high level of security. Assessment of compliance prior to the 8 August Incident 80. Under the UK GDPR, it is for the PSNI to demonstrate compliance with Article 5(1)(f) (by virtue of Article 5(2)). It is also for the PSNI to demonstrate compliance with Article 32(1) and (2) (by virtue of Article 24). 93 See paragraph 63 above. 37FOR PUBLIC RELEASE 81. Paragraphs 32 to 44 above detail the Commissioner’s findings of fact in relation to the PSNI’s relevant procedures, policies and guidance in place prior to the 8 August Incident. 82. The Commissioner finds that those procedures, policies and guidance did not amount to an appropriate organisational measure. They did not ensure appropriate security of the personal data which was subject to the Relevant Processing, in that they did not appropriately protect the 94 workforce data from unauthorised disclosure as “hidden” data. The PSNI therefore infringed Articles 5(1)(f) and 32(1) UK GDPR. 83. To explain his finding of infringement, the Commissioner considers it useful to indicate ways in which the PSNI’s procedures, policies and guidance might have amounted to an appropriate organisational measure: a) A policy whereby spreadsheet files are disclosed only when the FOI requester expresses a preference for the information to be provided in that format.95 b) An FOI handling procedure which includes requirements for – i. the FOI Decision Maker to check all FOI response letters and attachments (that are electronic files) for hidden data – such a check being incorporated into the FOI Audit Log; ii. the FOI Decision Maker to discuss all FOI response letters with a Team Leader (and to make the Team Leader aware 94I.e. data which is not immediately visible on screen, but is elsewhere within an electronic file. 95Such a policy would be consistent with the Commissioner’s advisory note to all public authorities, issued on 28 September 2023: Information Commissioner’s Office - Advisory note to public authorities | ICO. 38FOR PUBLIC RELEASE of any attachments and the format in which any electronic files are to be disclosed); and iii. the Team Leader to perform a second check for hidden data where information is to be disclosed as a spreadsheet file – such a check being incorporated into the FOI Response Quality Assurance Checklist. c) The policy at (a) and the procedural requirements at (b) above to be clearly recorded in appropriate documents (here, the FOI Service Instruction, FOI Audit Log and FOI Response Quality Assurance Checklist). d) CIB staff to be required to confirm to line managers that they have read and understood appropriate guidance on checking electronic files for hidden data (such as the ICO’s guidance How to disclose information safely – Removing personal data from information requests and datasets, dated 24 May 2018). e) The provision of appropriate training (at appropriate intervals) to CIB staff which – i. raises awareness of the policy at (a) and the procedural requirements at (b); and ii. ensures CIB staff are competent to perform checks for hidden data. 84. The Commissioner notes that there may be other ways in which the PSNI’s procedures, policies and guidance prior to the 8 August Incident could have amounted to an appropriate organisational measure. That is, the PSNI could have demonstrated compliance (protected the workforce data from unauthorised disclosure as “hidden” data) in other ways. 96 96 The PSNI could also have implemented appropriate technical measures. 39FOR PUBLIC RELEASE 85. The PSNI was unable to provide evidence of any assessment of the 97 appropriate level of security in relation to the Relevant Processing.The Commissioner therefore finds that the PSNI also infringed Article 32(2) UK GDPR. Assessment of compliance following introduction of August/September 2023 organisational measures 86. Paragraphs 45 to 47 above set out the Commissioner’s findings of fact in relation to the procedures, policies and guidance introduced by the PSNI in August/September 2023 (following the 8 August Incident). 87. The direction issued by the SIRO on 9 August 2023 98constituted a policy requiring all FOI responses to be in PDF format (the “PDF Policy”). The Interim Guidance issued on 8 September 2023 reinforced the PDF Policy but allowed FOI responses to be in CSV format (as well as PDF). 88. The Commissioner acknowledges that the PDF Policy and Interim Guidance will have improved the security of the personal data which was subject to the Relevant Processing. The Commissioner finds however that they did not amount to an appropriate organisational measure. This is for two reasons: a) If a FOI requester expresses a preference under section 11(1) of the Freedom of Information Act 2000 for receiving the information in a particular software format (such as an Excel file), the PSNI is required to give effect to that preference so far as reasonably 97PSNI Further enquiries response letter, 22 March 2024, p. 2. 98 PSNI Email to the ICO responding to an additional query, 25 March 2024. 40FOR PUBLIC RELEASE practicable.99 The PDF Policy and Interim Guidance did not align with this legal requirement. In order to be appropriate, an organisational measure (implemented to protect personal data which is subject to the Relevant Processing) would need to form part of a single, coherent FOI handling procedure which ensured the PSNI’s compliance with the Freedom of Information Act 2000. b) Putting the above consideration to one side, the Commissioner considers the PDF Policy and Interim Guidance would only have ensured appropriate security of the workforce data if they had been properly integrated into the PSNI’s FOI handling procedure. Such integration would have involved (at the very least) references to the PDF Policy and Interim Guidance in the FOI Service Instruction and the FOI Audit Log (the key corporate documents which govern, and which are used as part of, the FOI handling procedure). Neither the FOI Service Instruction nor the FOI Audit Log were updated in this way. 100The Interim Guidance was a separate document that was not specific to the handling of FOI requests and which was “interim pending its amalgamation into current service instructions and Information Security standards”. 101 89. The Commissioner finds, therefore, that despite the introduction of organisational measures in August/September 2023, the PSNI continued to infringe Article 5(1)(f) and Article 32(1) UK GDPR. It had yet to use appropriate organisational measures to protect the workforce data from unauthorised disclosure as hidden data. 99 Innes v the Information Commissioner and Buckinghamshire County Council [2014] EWCA Civ 1086. See the Commissioner’s guidance on s.11 FOIA: Means of communicating information (section 11) | ICO, last updated 11 October 2021. 100FOI Audit Log v4, November 2023. 101Interim security guidance on safe data sharing dated 8 September 2023. 41FOR PUBLIC RELEASE Assessment of compliance as of 14 June 2024 102 90. On 20 May 2024, the Commissioner informed the PSNI that the Commissioner intended to give an enforcement notice pursuant to section 149 DPA (in addition to a penalty notice). 91. The proposed enforcement notice would have required the PSNI to implement points (a) to (e) at paragraph 83 above (steps which the Commissioner considers would have resulted in the implementation of an appropriate organisational measure). 92. On 14 June 2024, the Commissioner received written representations from the PSNI about his intention to give an enforcement notice. The written representations confirmed that the PSNI had, as of 14 June 2024, taken the steps which the proposed enforcement notice would have required (the steps at paragraph 83 above). The written representations attached copies of updated versions of the FOI Service Instruction, FOI Audit Log and FOI Response Quality Assurance Checklist. A copy of the PSNI’s “Policy on the Safe and Secure Use of Spreadsheets for Data Sharing” was also provided. 93. Having considered the written representations and accompanying documents, the Commissioner finds that by 14 June 2024, the PSNI had implemented appropriate measures to ensure appropriate security of the workforce data which was subject to the Relevant Processing, in so far as the workforce data was protected from unauthorised disclosure as 103 “hidden” data. The ongoing infringements of Articles 5(1)(f) and 32 UK GDPR were therefore remedied by that date. 104 102 By way of a “preliminary” enforcement notice. 103I.e. data which is not immediately visible on screen, but is elsewhere within an electronic file. 104As a result, there are no longer grounds to give the proposed enforcement notice. 42FOR PUBLIC RELEASE V. DECISION TO IMPOSE A PENALTY 94. For the reasons set out below, the Commissioner has decided to impose a penalty on the PSNI in respect of the infringements of Articles 5(1)(f), 32(1) and 32(2) UK GDPR during the period 25 May 2018 to 14 June 2024. A. Legal framework – penalties 95. When deciding whether to give a penalty notice to a person and determining the appropriate amount of that penalty, section 155(2)(a) DPA requires the Commissioner to have regard to the matters listed in Article 83(1) and (2) UK GDPR, so far as relevant. 96. Article 83(1) UK GDPR requires the Commissioner to ensure that the imposition of a penalty is effective, proportionate, and dissuasive in each individual case. 97. Article 83(2) UK GDPR requires the Commissioner to give due regard to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; 43FOR PUBLIC RELEASE (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the Commissioner, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the Commissioner, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. B. The Commissioner’s decision on whether to impose a penalty 44FOR PUBLIC RELEASE 98. Paragraphs 101 to 164 below set out the Commissioner’s assessment of whether it is appropriate to issue a penalty in relation to the infringements set out above. That assessment involves consideration of the factors in Articles 83(1) and 83(2) UK GDPR. The order in which these considerations are set out below follows the Commissioner’s Data Protection Fining Guidance, (the “Fining Guidance”): 105 a) seriousness of the infringements (Article 83(2)(a), (b) and (g)); b) relevant aggravating or mitigating factors (Article 83(2)(c)-(f), (h)-(k)); c) effectiveness, proportionality and dissuasiveness (Article 83(1)). 99. The Commissioner has not conducted a separate assessment for each infringement. As explained further below, the Commissioner considers the three infringements are of the same nature. 106 An assessment of whether it is appropriate to impose a penalty has been taken in relation to the three infringements collectively. 100. The Commissioner’s decision is to impose a penalty. Seriousness of the infringements: Article 83(2)(a) the nature, gravity and duration of the infringements 101. In assessing the seriousness of the infringements, the Commissioner has given due regard to their nature, gravity and duration. Nature of the infringements 105Data Protection Fining Guidance | ICO, 18 March 2024. 106 See footnote 145. 45FOR PUBLIC RELEASE 102. Article 5(1)(f) UK GDPR (integrity and confidentiality) is a basic principle for processing. An infringement of this provision is subject to the higher 107 maximum fine, increasing its seriousness. Gravity of the infringements 103. In assessing the gravity of the infringements, the Commissioner has considered the nature, scope and purpose of the Relevant Processing, as well as the number of data subjects affected by the Relevant Processing and the level of damage they have suffered. 108 104. In the absence of appropriate security measures, the nature of the Relevant Processing was likely to result in high risk to data subjects for the reasons set out at paragraphs 68 to 79 above. The data subjects were at greater risk because of their occupation as PSNI officers/staff (especially officers involved in covert roles). 105. As regards the scope of the Relevant Processing, the Commissioner notes that its territorial scope extended to officers and staff from across the whole of Northern Ireland. 106. The purpose of the Relevant Processing was to respond to FOI requests. The Commissioner considers this to be a regular activity of the PSNI (and of all public authorities). Organisations are expected to ensure compliance in respect of all their processing, but particularly so in respect of processing which forms part of a regular activity. If an organisation cannot ensure compliance in respect of regular activities, this diminishes 107£17,500,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5)(a) UK GDPR). 108Article 83(2)(a) UK GDPR. 46FOR PUBLIC RELEASE confidence in the organisation’s compliance overall. The purpose of the Relevant Processing therefore increases the gravity of the infringements. 107. The Relevant Processing, and therefore the infringements, affected all PSNI officers and staff. In the context of the 8 August Incident, this amounted to 9,483 affected data subjects. When considered in light of the level of damage suffered, this factor increases the gravity of the infringements. Further consideration of the number of data subjects who suffered damage as a result of the 8 August Incident is set out at paragraph 112 below. 108. In relation to the level of damage suffered by affected data subjects, the Fining Guidance makes clear that the Commissioner will have regard to both potential and actual damage. 109. The infringements involved a failure to protect the workforce data from unauthorised disclosure as “hidden” data. The types of damage which data subjects could have potentially suffered as a result of unauthorised disclosure have been set out at paragraphs 72 and 73 above. They include the gravest type of damage: severe physical injury and even death. This increases the gravity of the infringements. 110. The Commissioner is of the view that, on the balance of probabilities, the 8 August Incident occurred as a consequence of the infringements set out in this Penalty Notice. In assessing the level of damage suffered as a result of the infringements, the Commissioner has therefore had regard to the damage suffered by data subjects as a result of the 8 August Incident. As stated in the Fining Guidance, however, “The Commissioner’s assessment of the level of damage suffered by data subjects will be limited to what is necessary to evaluate the seriousness of the infringement. Typically, it would not involve quantifying the harm, either in aggregate or suffered by specific people. It is also without 47FOR PUBLIC RELEASE prejudice to any decisions a UK court may make about awarding compensation for damage suffered.” 111. Complaints lodged by data subjects under Article 77 UK GDPR have assisted the Commissioner’s assessment of the level of actual damage suffered. Five bulk complaints 109from staff associations and networks were lodged with the Commissioner, as well as six individual complaints. The five bulk complaints were lodged by the Police Federation for Northern Ireland, the Superintendents’ Association, the Catholic Police Guild, the Ethnic Minority Police Association and the Christian Police Association. 112. The Commissioner notes that not all affected data subjects will have suffered damage and that of those who did, the types and level of damage are highly specific to individual circumstances. In considering the number of data subjects who suffered damage as a result of the 8 August Incident, the Commissioner has had regard to the high volume of referrals made to the PSNI’s Emergency Threat Management Group (such that the PSNI had to prioritise them by implementing a RAG rating system). Of the referrals received as of 22 September 2023, 879 had been categorised as red, 1,616 had been categorised as amber and 1,543 had been categorised as green. 110 As of 18 October 2023, a total of 4,024 111 referrals had been made. The Commissioner also 109 On 18 September 2023 the PSNI and the ICO issued a joint statement to all PSNI officers and staff. The statement informed officers and staff that the ICO was engaging with staff associations and networks regarding complaints and that individuals did not need to lodge complaints separately (Joint comms email sent to PSNI staff, 18 September 2023). The ICO met with representatives of the associations and networks on 18 October 2023 and it was agreed that the associations and networks would gather information from their members and provide this to the ICO in the form of bulk complaints. 110PSNI Second enquiries response letter, 22 September 2023, p. 13. 111Though the PSNI had identified over 800 of these to be duplicate referrals. (Internal meeting notes from PSNI visit on 18 October 2023, p. 2). 48FOR PUBLIC RELEASE understands that more than 6,000 claims have been brought against the 112 PSNI for damages in connection with the 8 August Incident. 113. Two types of (non-material) damage appear to the Commissioner to be common among many affected data subjects (albeit at varying levels of severity): a) psychological harm (fear and anxiety about personal safety and the safety of family and friends); and b) loss of control of personal data (diminished ability to control knowledge of occupation). 114. The Commissioner has not seen evidence of data subjects suffering physical injury from dissident republicans as a result of the 8 August Incident. 115. Below, the Commissioner sets out some examples from the lodged complaints which he has had regard to in assessing the level of damage 113 suffered. The Commissioner is aware that these examples are likely to represent the most severe levels of damage suffered. This is, however, precisely why the Commissioner considers these examples to be instructive in evaluating the gravity of the infringements. Examples of damage suffered from the lodged complaints “How has this impacted on me? I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that 112 High Court order will deliver ‘swift management’ of compensation claims by those affected by PSNI data breach – The Irish News, 24 March 2024 (accessed 26 September 2024). 113Naturally, these examples reflect the damage suffered from 8 August 2023 up to the time at which the complaints were lodged. The last complaint was lodged in February 2024. 49FOR PUBLIC RELEASE everything is ok. I have spent over £1000 installing modern CCTV and lighting around my home, because of the exposure.” “I am a Catholic police officer … My name as a police officer, which I tried so hard to conceal from family, acquaintances and wider society is now available to anyone. … I worry most days that at any minute, we don’t know who is sitting scrutinising that list and trying to investigate and piece together the intel they may already have amassed and make it into something actionable to harm us with the data they have now been furnished with...” “As a result of the spreadsheet data being released to the public… I have increased security at my home but also at my parents’ home. I am struggling to sleep and find myself awake at night checking cameras. I have not visited my family home since the spreadsheet data was released as I believe it would put them in further danger. Furthermore, my parents do not want to visit my home for fear that someone would follow them to my address.” “… we have recently had to reconsider all our activities particularly as a result of the recent data breach with my name being in the public domain and the fact that it lists me as working in [PSNI department]. … Following the data breach my wife … has become extremely concerned as to our own and our children’s personal security, we have no security measures in our home and financially we have no surplus money to install these.” “I have gone to great trouble to ensure that I have remained invisible, with no social media presence, removal from the electoral roll, 192.com, never revealing my job to others and lying about where I work whenever asked. … I have trouble sleeping, my children … are all stressed about my welfare, some of them have told me that they have nightmares about me getting attacked.” 50FOR PUBLIC RELEASE “I believe the risk to my personal security and the safety of my wife and …young children is more significant for me due to the fact that I grew up in the area where we are most active. As a result of this many persons involved and linked to paramilitary groups and wider criminal circles in this area would know me or remember me from both school and childhood. I have gone to great lengths to keep my occupation confidential. Only close family and friends previously had knowledge of it. I have a minimal social media footprint. I have also spent a considerable amount of effort to make our home private and secure to reduce potential for attacks. This has now been severely compromised and will require further expense to upgrade.” “Everything has culminated and become too much for me to the point that I have accepted another job outside of the police. I am essentially taking a pay cut … not to mention leaving the job that I dreamed of since I was a small child and geared my whole life towards. To say I am devastated is an understatement but I feel I have no choice.” “I have quite a unique surname which had been shared in the data breach, I feel that this not only puts my name in the hands of individuals who may seek to do harm but also affects my own personal family as well and my wider family… The PSNI recently had a senior Officer shot multiple times so the threat does feel very real, in that there are elements that seek to cause this harm to Police Officers on a daily basis. This data breach will have aided them in doing so.” “The breach is having an impact on my personal life as my family are now very anxious and concerned for their and my welfare. I don’t sleep well maybe a couple of hours a night, I formulate plans in my head if I get attacked at home, away from home, in my car, and it’s a lonely experience.” 51FOR PUBLIC RELEASE 116. The above statements and those contained in the many other lodged complaints indicate the significant level of actual damage suffered, and therefore the gravity of the infringements. The Commissioner gives very significant weight to this factor in his assessment of the gravity of the infringements. 117. To summarise the Commissioner’s assessment of the gravity of the infringements: the nature and purpose of the Relevant Processing, the number of data subjects affected, and the level of damage suffered by them all increase the gravity of the infringements. The gravity of the infringements increases their seriousness. Duration of the infringements 118. The duration of the infringements is from 25 May 2018 (the date of 114 commencement of the DPA and application of the GDPR ) until 14 June 115 2024 (when the infringements were remedied ). 119. The risk of damage (i.e. potential damage) to data subjects existed from at least as early as 25 May 2018 and could have materialised at any point during this lengthy period. The risk of damage materialised on 8 August 2023. 120. The duration of the infringements increases their seriousness. Conclusion on the nature, gravity and duration of the infringements 114That is, the PSNI infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR ever since its obligations under those provisions arose in respect of the Relevant Processing. 11See paragraphs 90 to 93 above. 52FOR PUBLIC RELEASE 121. The nature, gravity and duration of the infringements all increase the seriousness of the infringements. Seriousness of the infringements: Article 83(2)(b) the intentional or negligent character of the infringements 122. The Commissioner does not consider that the PSNI acted intentionally in committing the infringements. The Commissioner does, however, find that the infringements were clearly negligent in character. 123. The PSNI ought to have known the nature and severity of the risk described at paragraphs 69 to 73 above. 124. The PSNI ought to have known the likelihood of risk (the factors set out at paragraphs 77 and 78 above). 125. In particular, the PSNI ought to have known that spreadsheet files are prone to hidden data (and therefore human error) for the following reasons: a) The Commissioner’s FOI guidance raises awareness of this issue: 53FOR PUBLIC RELEASE i. Under the heading “Is there anything else we should consider before sending the information?”, first published on the ICO website in July 2013: 116 ii. In the Commissioner’s more detailed FOI guidance on “Means of communication information (section 11)”, first published on 11 October 2021: 117 b) In June 2018, the ICO published the guidance “How to disclose information safely – removing personal data from information 116Finding and preparing the information | ICO. 117Means of communicating information (section 11) | ICO. 54FOR PUBLIC RELEASE requests and datasets” on its website. 118This guidance discusses in detail the various ways in which electronic files can contain hidden data and how to check for such hidden data. In relation to spreadsheet files, for instance, the guidance suggests exporting data to a text file such as CSV, 119and using (in the case of Excel) the “Document Inspector” tool. 120 A checklist is provided at the end, with questions such as “Are you sure you know where all the data is? … Are there hidden work sheets? 121 … Is the file size larger than you might expect for the volume of data being disclosed?” c) Other relevant guidance available prior to and since the 8 August Incident includes: i. Guidance from the National Archives (last updated April 2016) “Redaction Toolkit: Editing exempt information from 122 paper and electronic documents prior to release”, which is aimed at “all authorities subject to the Freedom of Information Act (FOIA), Data Protection (DP) legislation and Environmental Information Regulations (EIRs), from central Government departments to local, police, health and education authorities.” 118How to disclose information safely (ico.org.uk), June 2018 (accessed via search engine 26 September 2024). Between June 2018 and August 2022, a link to this guidance was contained in the full index of freedom of information and environmental information guidance on the ICO website. After August 2022, the link to this guidance was removed from the full index. The guidance nevertheless remained on the ICO website and could be found through search engines. 119 On attempting to export data to a text file, a dialog box opens reminding the user that only the current worksheet will be saved to the new file. 120Though use of this tool would not alert a user to the presence of worksheets which are not visible as tabs. 121 As noted at paragraph 21(g), in the case of the 8 August Incident, the worksheet containing the personal data was not hidden, it was simply not visible as a tab. 122redaction_toolkit.pdf (nationalarchives.gov.uk), April 2016 (accessed 26 September 2024). 55FOR PUBLIC RELEASE ii. The UK Government’s guidance “Creating and sharing spreadsheets” (first published June 2021). 123 iii. The National Police Chiefs’ Council (“NPCC”) “Manual of Guidance for the FOIA” 124 (v.8.0, dated January 2021) also contained guidance stating, “If forces choose to provide the information in a re-usable format (pivot tables) they must ensure that any “hidden” information is redacted so as not to disclose data unintentionally.” 125 iv. Advice (sent directly to all police forces) from the NPCC’s National Police Freedom of Information and Data Protection Unit in June 2023. This advice referred specifically to the risk of “hidden” data in Excel files. The advice included a link to the ICO’s May 2018 guidance, and even highlighted how there can be more worksheets than there are visible tabs.126 123 Creating and sharing spreadsheets - GOV.UK (www.gov.uk), June 2021 (accessed 26 September 2024). 124Microsoft Word - NPCC Manual Of Guidance 2021 v8.0 (cityoflondon.police.uk), January 2021 (accessed 26 September 2024). 125The PSNI stated that this Manual is “supplied to all staff” (PSNI Initial enquiries response letter, 29 August 2023). For the avoidance of doubt, the Commissioner does not consider the supplying of this document to have been (either on its own or in conjunction with the procedures, policies and guidance set out at paragraphs 32 to 47 above) an appropriate security measure. Whilst the Manual raises the issue of “hidden” data, it provides very limited guidance on it. The PSNI has also been unable to point to any requirement for CIB staff to confirm that they had read and understood the Manual. 126PSNI internal emails re NPCC FOI advice, 21 June 2023. When asked to explain how the PSNI acted on this piece of advice, the PSNI stated that the advice was circulated to FOI Decision Makers and line managers within CIB by email (PSNI Further enquiries response letter, 22 March 2024, p. 4). The Commissioner does not consider this action (either on its own or in conjunction with the procedures, policies and guidance set out at paragraphs 32 to 47 above) amounted to an appropriate security measure. Notably, the PSNI has been unable to point to any requirement for CIB staff to confirm that they had read and understood the advice. The email received from the NPCC was simply forwarded to CIB staff without any further instruction from the PSNI. The PSNI has also been unable to demonstrate that the advice was properly integrated into the FOI handling procedure. Indeed, was accepted by the current Chief Constable in oral evidence to the Northern Ireland Affairs Committee on 13 December 2023: “We had had a number of warnings with 56FOR PUBLIC RELEASE d) The ICO has fined data controllers (under the Data Protection Act 1998) for failing to take appropriate measures against unauthorised processing of personal data (in contravention of the seventh data principle) 127 when using spreadsheet files to share information externally: i. In April 2018, the Royal Borough of Kensington and 128 Chelsea, £120,000. ii. In April 2016, Blackpool Teaching Hospitals NHS 129 Foundation Trust, £185,000. 130 iii. In August 2013, Islington Borough Council, £70,000. regards to the use of PDFs. I think the report references the National Police Chiefs’ Council in January and June of last year sending out notifications about best practice. Some of it was adopted in the PSNI and some of it was not. There was no standard operating procedure to bring that all of that together.” 127 The seventh data protection principle read as follows: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” 128The contravention was as follows: (a) The Council did not provide the FOI team with any (or any adequate) training on the functionality of Excel spreadsheets or possible alternatives; (b) The Council had in place no guidance for the FOI team to check spreadsheets for data hidden in any pivot table before they are disclosed under FOI. 129 The contravention was as follows: (a) The Trust had in place no procedure governing requests for information from ESR [the electronic staff records system] to control its use and further dissemination; (b) The Trust did not provide the team with any (or any adequate) training on the functionality of Excel spreadsheets or possible alternatives; (c) The Trust had in place no guidance for the web services team to check the spreadsheets for hidden data before they were uploaded to its website. 130The contravention was as follows: a) Whilst the data controller had dedicated IGOs [Information Governance Officers] in post, there was no formal or consistent process in place for checking an FOI response; b) There were no specific checking procedures built into that process to check whether personal or sensitive personal data was present ahead of providing a response to an FOI request; c) There were no sufficient procedures in place to train staff to carry out such checks and as such the data controller failed to equip its staff with the appropriate knowledge and skills. … i) An effective training programme for staff had not been implemented. The person responsible for disclosing the information had not been trained properly to enable them to identify sensitive personal data contained in the pivot tables nor had they received any specific data protection training. They were therefore unable to 57FOR PUBLIC RELEASE These cases further raised awareness of how spreadsheet files are prone to containing hidden data. 126. Having regard to paragraph 83 above, the Commissioner considers an appropriate organisational measure would have been straightforward and uncostly to implement. 127. The fact that the PSNI ought to have known the likelihood, nature and severity of the risk, coupled with the ease with which an appropriate security measure could have been implemented, renders the PSNI’s infringements of Articles 5(1)(f) and 32(1) UK GDPR negligent. It was also negligent not to carry out a data security risk assessment as required by Article 32(2) UK GDPR. 128. The clearly negligent character of the infringements increases their seriousness. Seriousness of the infringements: Ar ticle 83(2)(g) categories of personal data affected 129. The Commissioner does not consider the workforce data 131which was subject to the Relevant Processing to be special category data. mitigate against the risk of an unlawful disclosure. ii) Whilst the data controller had some standard procedures in place for dealing with FOI requests, the data controller did not have appropriate technical or organisational measures in place to firstly screen and check whether personal data was present in information being prepared for disclosure and secondly to check it, prior to it being disclosed in response to an FOI request. iii) There is no documented procedure that specified that a request must be checked by a peer. 131Specifically, the data file called “Combined 3C & Perlist”, which includes (for all officers and staff who are in post, suspended or on a career break at the time of download) the following categories of personal data: surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. 58FOR PUBLIC RELEASE 130. The Commissioner notes, however, paragraph 72 of the Fining Guidance: “In assessing seriousness, the Commissioner may also take into account other types of personal data affected by the infringement where that data may be regarded as particularly sensitive. This includes where the dissemination of the personal data is likely to cause damage or distress to data subjects…”. 131. For the reasons set out at Section IV(B) (Nature of the personal data and context of the Relevant Processing), the workforce data was sensitive. Where that data related to officers involved in covert roles, it was particularly sensitive. Disclosure of the workforce data was likely to cause damage to data subjects. This further increases the seriousness of the infringements. Conclusion on seriousness of infringements 132. Having considered the nature, gravity and duration of the infringements, as well as their clearly negligent character and the categories of personal data affected, the Commissioner categorises the infringements as having a high degree of seriousness. 133. In the absence of any aggravating or mitigating factors, the infringements would warrant the imposition of a penalty. The Commissioner’s consideration of any aggravating or mitigating factors follows below. 59FOR PUBLIC RELEASE Relevant aggravating or mitigating factors: Article 83(2)(c) any action taken by the controller or processor to mitigate the damage suffered by the data subjects 134. In assessing this factor, the Commissioner has considered the actions taken by the PSNI to mitigate both actual and potential damage suffered as a result of the 8 August Incident. The Commissioner has considered the relatively prompt removal of the disclosed data from the WhatDoTheyKnow website, the PSNI’s criminal investigation, the steps taken to reduce the identifiability of PSNI officers and staff and the support the PSNI offered them. 135. Naturally, the most effective mitigating action which the PSNI could have taken was to seek the removal of the disclosed data from the WhatDoTheyKnow website promptly. The Commissioner notes that the PSNI requested removal of the disclosed data from the WhatDoTheyKnow website 37 minutes after becoming aware of the breach.132 The Commissioner considers this to be a relatively prompt response. 136. The Commissioner notes the criminal investigation launched by the PSNI on 9 August 2023 to investigate possible offences under the Terrorism Act 2000 133. Using IP addresses, the PSNI sought to identify all individuals who had accessed the disclosed data on the WhatDoTheyKnow website. 134As of 18 October 2023, the investigation had led to six arrests: one individual was charged, and five individuals were bailed. As of 18 October 2023, the investigation had also been 132PSNI Initial enquiries response letter, 29 August 2023, p. 2. 133The disclosed data was considered to be information of a kind likely to be useful to a person committing or preparing an act of terrorism. 134PSNI officers and staff who were identified as having accessed the disclosed data were instructed to delete it. 60FOR PUBLIC RELEASE monitoring the dark web for the disclosed data. 135 Public statements made by the PSNI in connection with the arrests have reiterated that the PSNI “… continue to work toward establishing those who possess information relating to the data breach on August 8th, and will take action to ensure that any criminality identified is dealt with robustly to keep communities, and our officers and staff who serve them, safe.” 136 137. In a briefing to the Commissioner on 18 October 2023, the PSNI suggested the criminal investigation, the arrests and public statements are all likely to have made possession of the disclosed data undesirable. 137 The Commissioner agrees this is likely to be true for ordinary members of society, and that this goes some way to reducing the risk of data subjects’ occupations becoming known to their family and friends. 138. The Commissioner thinks it unlikely, however, that dissident republicans would be much deterred by the PSNI’s actions. Indeed, as early as 10 August 2023, the then Chief Constable stated, “We have since become aware of dissident republican claims that they are in possession of data 138 circulating on WhatsApp.” On 14 August 2023, the then Chief Constable stated, “We are now confident that the workforce data set is 139 in the hands of Dissident Republicans”. 139. Paragraph 26 of this Penalty Notice sets out the steps taken by the PSNI with the aim of reducing the identifiability of PSNI officers and staff. 135PSNI Op Sanukite Update, 18 October 2023 and Internal meeting notes from PSNI visit on 18 October 2023, p. 2. 136Detectives investigating criminality linked to freedom of information data breach make arrest | PSNI, 19 October 2023 (accessed 26 September 2024). 137Internal meeting notes from PSNI visit on 18 October 2023. 138 Statement from the Chief Constable on the data breach investigation | PSNI, 10 August 2023 (accessed 26 September 2024). 139Update from the Chief Constable on the data breach investigation | PSNI, 14 August 2023 (accessed 26 September 2024). 61FOR PUBLIC RELEASE Those steps involved changing officer and staff identification numbers and reducing their use. 140. The Commissioner is not in a position to assess the effect of these steps on the risks identified at paragraph 69 above (namely, the risk of data subjects being identified as PSNI officers/staff by family and friends, as well as the risk of physical identification by dissident republicans).40 141. Paragraph 27 of this Penalty Notice sets out the main steps taken by the PSNI to support officers and staff following the 8 August Incident. 142. The Commissioner does not consider these actions (the removal of the disclosed data from the WhatDoTheyKnow website, the criminal investigation, the steps to reduce the identifiability of officers and staff and the support offered to them), taken collectively, amount to a mitigating factor in his decision on whether to impose a penalty. These actions were all entirely in line with what would reasonably be expected of a police force responding to a personal data breach of this scale and severity. Relevant aggravating or mitigating factors: Article 83(2)(d) the degree of responsibility of the controller or processor 143. A failure to implement appropriate technical or organisational measures is inherent to infringements of Articles 5(1)(f) and 32(1) UK GDPR. The PSNI’s responsibility for these infringements is therefore also inherent. 144. The PSNI was the sole controller in respect of the Relevant Processing. The PSNI therefore bears full responsibility for the infringements. 14The notice of intent given to the PSNI on 20 May 2024 invited representations in this regard, but none were received. 62FOR PUBLIC RELEASE 145. The Commissioner considers that any public authority responding to FOI requests, regardless of size and financial position (i.e. the resources available to it), could be reasonably expected to implement an appropriate security measure which incorporates elements analogous to those set out at paragraph 83 above - even where the nature of the processing is low-risk. 146. The PSNI covers the second largest demographic in the UK and in the financial year 2022-2023, received approximately £840 million in funding from the Northern Ireland Assembly. 141The Relevant Processing was high risk (see paragraphs 68 to 79 above). It follows even more that the PSNI could have been reasonably expected to have implemented an appropriate security measure. 147. The PSNI’s degree of responsibility is therefore an aggravating factor in the Commissioner’s decision to impose a penalty. Relevant aggravating or mitigating factors: Article 83(2)(e) any relevant previous infringements by the controller or processor 148. The Commissioner is not aware of any relevant previous infringements. This factor is therefore not relevant to his decision. Relevant aggravating or mitigating factors: Article 83(2)(f) the degree of cooperation with the Commissioner 149. Controllers and processors are expected to cooperate with the Commissioner in the performance of the Commissioner’s tasks, for 141Police Service of Northern Ireland - Annual Report and Accounts for the year ended 31 March 2023 (psni.police.uk), p. 106, 7 July 2023 (accessed 26 September 2024). 63FOR PUBLIC RELEASE example by responding to requests for information and attending meetings. The Commissioner considers that the ordinary duty of cooperation is required by law (Article 31 UK GDPR) and meeting this standard is therefore not a mitigating factor. 150. The PSNI has responded to requests for information during the Commissioner’s investigation in a way that has enabled the enforcement process to be concluded significantly more quickly and effectively. In doing so, the Commissioner’s view is that the PSNI has demonstrated good cooperation. This would, however, be reasonably expected of any public authority. The Commissioner therefore considers this to be a neutral, rather than mitigating, factor. Relevant aggravating or mitigating factors: Article 83(2)(h) the manner in which the infringements became known to the Commissioner 151. The infringements became known to the Commissioner as a result of his investigation. That investigation was prompted by the 8 August Incident. 152. Although the Commissioner was notified by the PSNI of the 8 August Incident, that notification, however prompt, was a legal requirement (Article 33 UK GDPR). 153. The Commissioner therefore considers this factor to be neutral. Relevant aggravating or mitigating factors: Article 83(2)(i) measures previously ordered against the controller or processor 154. There are no measures referred to in Article 58(2) UK GDPR which have previously been ordered against the PSNI concerning the same subject 64FOR PUBLIC RELEASE matter. This factor is therefore not relevant to the Commissioner’s decision. Relevant aggravating or mitigating factors: Article 83(2)(j) adherence to approved codes of conduct or certification mechanisms 155. There are no relevant codes of conduct or approved certification mechanisms. This factor is therefore not relevant to the Commissioner’s decision. Relevant aggravating or mitigating factors: Article 83(2)(k) any other applicable aggravating or mitigating factors 156. There are no other aggravating or mitigating factors applicable to the circumstances of the case. This factor is therefore not relevant to the Commissioner’s decision. Conclusion on relevant aggravating and mitigating factors 157. The Commissioner has taken into account the degree of the PSNI’s responsibility as an aggravating factor. 158. Consideration of the seriousness of the infringements (the first stage of the assessment) indicated that a penalty is appropriate. The aggravating factor strengthens that assessment. 159. The final stage involves consideration of the effectiveness, proportionality and dissuasiveness of a penalty. 65FOR PUBLIC RELEASE Effectiveness, proportionality and dissuasiveness 160. The Commissioner considers imposition of a penalty would be effective and dissuasive. It would both promote compliance with data protection legislation and provide an appropriate sanction for the infringements. The PSNI will continue to have to process personal data when responding to FOI requests, so there is a need to deter the PSNI from infringing the security provisions of the UK GDPR again. There is also a need to deter other public authorities subject to the Freedom of Information Act 2000 from committing such infringements. 161. Taking into account the high degree of seriousness of the infringements (notably the damage suffered by data subjects) and the PSNI’s size and financial position, the Commissioner considers that the imposition of a penalty would be proportionate – it would not exceed what is appropriate and necessary in the circumstances to ensure compliance with data protection legislation and to provide an appropriate sanction for the infringements. C. Conclusion on decision on whether to impose a penalty 162. In light of the assessment above, the Commissioner has decided to impose a penalty. 163. In June 2022, the Commissioner set out a revised approach to public 142 sector enforcement to be trialled over two years. To support this approach, the Commissioner committed to working proactively with 142Open letter from UK Information Commissioner John Edwards to public authorities, 30 June 2022. The revised approach (which was trialled for a two-year period ending in June 2024) is currently under review. The revised approach continues to be applied pending the outcome of that review: ICO statement on its public sector approach trial | ICO. 66FOR PUBLIC RELEASE senior leaders in the public sector to encourage compliance, prevent harms before they occur, and learn lessons when things have gone wrong. In practice, this means that for the public sector the Commissioner has committed to increasing the use of public reprimands and enforcement notices, only issuing fines in the most egregious cases. 143 164. The Commissioner has had regard to the revised public sector approach in reaching his decision to impose a penalty in this case. The Commissioner is satisfied that this case is sufficiently egregious to warrant the imposition of a penalty. VI. CALCULATION OF PENALTY 165. The Fining Guidance sets out a five-step approach which the Commissioner has applied to calculate the amount of the penalty: Step 1: Assessment of the seriousness of the infringement. Step 2: Accounting for turnover. Step 3: Calculation of the starting point. Step 4: Adjustment to take into account any aggravating or mitigating factors. Step 5: Assessment of whether the fine is effective, proportionate and dissuasive. Following the application of this five-step approach, the Commissioner has gone on to consider the amount of the penalty in light of his revised approach to public sector enforcement. Statutory maximum penalty 143 See ICO25 – Our Regulatory Approach, 7 November 2022, p. 7. 67FOR PUBLIC RELEASE 166. Article 83(3) UK GDPR states that “if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the UK GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement”. The PSNI’s three infringements (of Articles 5(1)(f), 32(1) and 32(2) UK GDPR) were all for the same processing operations (the Relevant Processing). The gravest infringement was that of Article 5(1)(f) UK GDPR. 167. The infringement of Article 5(1)(f) UK GDPR, which is a basic principle for processing, is subject to the statutory maximum of £17.5 million (Article 83(5)(a) UK GDPR). 144 Had the Commissioner imposed a separate penalty for each of the three infringements, the total of those three penalties could not have exceeded £17.5 million. 168. In this case, however, the Commissioner has calculated a single penalty for all three infringements. This is because the three provisions infringed are all of the same nature: they all seek to ensure the security of personal data processing. 145The calculation proceeds on the basis of a single statutory maximum of £17.5 million. A. Step 1: Assessment of the seriousness of the infringement 144The turnover-based higher maximum applies only to undertakings with a total worldwide annual turnover exceeding £437.5 million. The PSNI is not an undertaking. 145For the avoidance of doubt, the Commissioner considers Articles 5(1)(f) and 32 UK GDPR to be evidently distinct provisions of the UK GDPR (notwithstanding the degree of overlap). Had he calculated penalties for infringements of these provisions separately, the Commissioner would have had to ensure, in accordance with Article 83(3) UK GDPR, that the total penalty did not exceed the amount specified for the gravest infringement (that of Article 5(1)(f) UK GDPR). In this Penalty Notice, however, the Commissioner has simply calculated a single penalty. 68FOR PUBLIC RELEASE 169. As set out at paragraphs 109 to 115 of the Fining Guidance, the Commissioner determines a starting point for the penalty first by assessing the seriousness of the infringement. The Commissioner categorises the infringement according to its degree of seriousness and then chooses a starting point based on a percentage of the relevant applicable statutory maximum. 170. In this Penalty Notice (paragraph 132 above), the Commissioner has categorised the infringements as having a high degree of seriousness. This means that the starting point will be between 20% and 100% of the relevant legal maximum (£17.5 million). 171. The Commissioner decides that the infringements warrant a starting point of 80%. 172. A starting point lower than 80% is not warranted for the reasons set out at paragraphs 101 to 132 above. The Commissioner does not repeat those reasons here. 173. A starting point higher than 80% is not warranted for the following reasons: a) the purpose of the Relevant Processing was to comply with statutory obligations; b) the Relevant Processing was not extensive; c) the infringements were not intentional. B. Step 2: Accounting for turnover 174. Having assessed the seriousness of the infringements, the Commissioner next determines any adjustment to reflect the size of the recipient of the 69FOR PUBLIC RELEASE penalty. 146This is consistent with the need to ensure the amount of the penalty is effective, proportionate and dissuasive. 175. Where the recipient is an undertaking, the Commissioner will determine the adjustment by reference to the undertaking’s turnover. As explained at paragraph 119 of the Fining Guidance, where a recipient is not an undertaking and therefore does not have turnover (as is the case with the PSNI), the Commissioner may instead have regard to other indicators of the recipient’s financial position, such as assets, funding or administrative budget. 176. Where a recipient is a public body, the Commissioner’s usual practice is to have regard to the recipient’s administrative budget or expenditure. The benefit of this approach is twofold: firstly, it acts as an easily understood and standardised comparator; secondly, whilst still correlated with the scale of the public body, it excludes core activities and thus limits any adverse impact on public services. 177. As a measure of administrative expenditure, the Commissioner has used the PSNI’s figure for actual expenditure on administrative and industrial 147 148 staff pay in the financial year 2023/24. This figure was £117 million. 178. As set out in the Fining Guidance, in the case of an undertaking with an annual turnover of between £100 million and £250 million, the Commissioner may apply an adjustment factor of 20% to 50% to the 146 As set out at paragraph 128 of the Fining Guidance, any such adjustment is discretionary. 147Figure obtained from PSNI Finance Report provided to the Commissioner on 11 April 2024. As the financial year 2023/24 had only just ended, the PSNI was only able to provide provisional figures. The PSNI’s final audited accounts for the year 2023/24 were laid before the Northern Ireland Assembly on 4 July 2024: Police Service of Northern Ireland - Annual Report and Accounts for the year ended 31st March 2024 (psni.police.uk) (accessed 26 September 2024). 148Rounded down from £117,653,000. 70FOR PUBLIC RELEASE starting point. The Commissioner considers this range of adjustment is also appropriate in this case. 179. As he has only taken into account the PSNI’s administrative expenditure, the Commissioner considers a figure at the higher end of this range of adjustment is appropriate: the Commissioner decides that an adjustment of 40% is appropriate to reflect the PSNI’s size. C. Step 3: Calculation of the starting point 180. The starting point of the penalty is calculated as follows: Fixed statutory maximum amount (£17.5 million) x adjustment for seriousness (80%) x turnover adjustment (40%) = £5,600,000 (£5.6 million) D. Step 4: Adjustment to take into account any aggravating or mitigating factors. 181. The Commissioner next takes into account any aggravating or mitigating factors. These factors may warrant an increase or decrease in the level of the penalty calculated at the end of Step 3 (the starting point of £5.6 million). 182. One aggravating factor influenced the Commissioner’s decision to impose a penalty: the PSNI’s degree of responsibility (see paragraphs 143 to 147 above). On this occasion, the Commissioner considers the starting point adequately reflects the PSNI’s degree of responsibility and so an adjustment for this aggravating factor is not required. There is therefore no adjustment at Step 4. 71FOR PUBLIC RELEASE E. Step 5: Adjustment to ensure the fine is effective, proportionate and dissuasive 183. As set out at paragraph 142 of the Fining Guidance, “the aim of Steps 1 to 4 of the calculation is to identify a fine amount that is effective, proportionate and dissuasive. The purpose of Step 5 is to provide the opportunity for the Commissioner to check that is the case.” 184. The Commissioner considers that a penalty of £5.6 million will be both effective and dissuasive. A penalty of this amount will have a genuine deterrent effect, taking into account both the specific deterrence to the PSNI and the general deterrence to other organisations. 185. The penalty is specific to the egregious nature of the infringements and reflects the PSNI’s economic situation. By adequately reflecting the fact that the PSNI is a public body, the turnover adjustment applied (40%) has ensured that the penalty is proportionate and appropriate to the size and financial position of the PSNI. The penalty is not more than is appropriate or necessary in the circumstances. F. The Commissioner’s revised approach to public sector enforcement 186. As explained at paragraph 163, in June 2022 the Commissioner set out a revised approach to public sector enforcement. 149 Having considered that revised approach, the Commissioner considers that it is appropriate to reduce the amount of the penalty from £5.6 million to £750,000. 149Open letter from UK Information Commissioner John Edwards to public authorities, 30 June 2022. The revised approach (which was trialled for a two-year period ending in June 2024) is currently under review. The revised approach continues to be applied pending the outcome of that review: ICO statement on its public sector approach trial | ICO. 72FOR PUBLIC RELEASE G. Conclusion - penalty 187. For the reasons set out above, the Commissioner decides to impose a penalty on the PSNI of £750,000. H. Financial hardship 188. Paragraph 151 of the Fining Guidance explains that “In exceptional circumstances, the Commissioner may reduce a fine where an organisation or individual is unable to pay because of their financial position.” 189. The notice of intent (given to the PSNI on 20 May 2024) indicated that the amount of the penalty the Commissioner proposed to impose was £750,000. The PSNI made a claim of financial hardship in written representations dated 14 June 2024. 190. As explained at paragraph 152 of the Fining Guidance, “The Commissioner will only grant a reduction for financial hardship on the basis of objective evidence that imposing the proposed fine would irretrievably jeopardise an organisation’s economic viability… The Commissioner will not base any reduction on the mere finding of an adverse … financial situation.” 191. Whilst the Commissioner acknowledges the financial challenges faced by the PSNI, the Commissioner is not convinced, on the basis of the evidence put forward in the written representations, that the PSNI’s economic viability would be irretrievably jeopardised as a result of a penalty of £750,000. 192. Whilst the PSNI’s representations do not justify a reduction for financial hardship, the Commissioner has considered those representations in relation to the proportionality of the penalty amount as follows: 73FOR PUBLIC RELEASE a) The PSNI’s final audited position for the year 2023/24 involves a small resource underspend. This position assumes a penalty of £610,000. 150 The PSNI initially submitted that a penalty of £750,000 would result in the PSNI reporting a 2023/24 resource overspend, “pushing PSNI into breaching spending limits” and that this would “initiate a whole range of other unintended consequences related to financial management, financial 151 reporting and Assembly accountability.” When probed by the Commissioner, however, the PSNI stated that “If the fine imposed is £750k, the £140k difference between the [£610,000] accrual and the fine would be chargeable to the 2024-25 budget.” 152 The financial position for the year 2023/24 would therefore remain unchanged. b) The PSNI submitted that a penalty of £750,000 would frustrate efforts to allocate additional resources to the improvement of information management within the force. The representations did not include specific proposals as to how funds arising from a penalty reduction would be allocated. In applying the revised approach to public sector enforcement to reduce the penalty amount, the Commissioner has already taken impacts of this nature into account. In any event, the Commissioner must ensure that a penalty is not only proportionate but also a deterrent and an effective sanction for the infringements. 193. The Commissioner has therefore not reduced the penalty amount from £750,000 (the amount indicated in the notice of intent). 150PSNI letter to Commissioner, 12 July 2024, p. 1. 151PSNI written representations, 14 June 2024, p. 3-4. 152PSNI letter to Commissioner, 12 July 2024, p. 2. 74 FOR PUBLIC RELEASE VII. PAYMENT OF THE PENALTY 194. The penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 25 October 2024. 195. Under paragraph 9(4) of Schedule 16 to the DPA, in Northern Ireland, a penalty is recoverable— a) if a county court so orders, as if it were payable under an order of that court; b) if the High Court so orders, as if it were payable under an order of that court. 196. Under paragraph 9(1) of Schedule 16 to the DPA, the Commissioner must not take action to recover a penalty unless— a) the period for payment specified in this Penalty Notice (by 25 October 2024) has ended, b) any appeals against this Penalty Notice have been decided or otherwise ended, c) if this Penalty Notice is varied, any appeals against the penalty variation notice have been decided or otherwise ended, and d) the period for the PSNI to appeal against the penalty, and any variation of it, has ended. VIII. RIGHTS OF APPEAL 197. By virtue of section 162 DPA, the PSNI may appeal to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) against this Penalty Notice. The PSNI may appeal to the Tribunal against the amount of the penalty, whether or not the PSNI appeals against the Penalty Notice. 75FOR PUBLIC RELEASE 198. Information about the appeals process is set out in the Annex. Any notice of appeal should be sent or delivered to the Tribunal so that it is received within 28 days of the date of this Penalty Notice. Dated: 26 September 2024 Stephen Bonner Deputy Commissioner, Regulatory Supervision Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 76