PSNI facing a £750k fine following spreadsheet error that exposed the personal information of its entire workforce

• Data breach brought tangible fear of threat to life
• "Perfect storm of risk and harm" highlights human impact of poor data security
• We used discretion to significantly reduce potential fine to ensure public money is not diverted from where most needed

We have announced we intend to fine the Police Service of Northern Ireland (PSNI) £750,000 for failing to protect the personal information of its entire workforce.

The proposed fine relates to an incident where personal information – including surname, initials, rank and role of all 9,483 serving PSNI officers and staff – was included in a "hidden" tab of a spreadsheet published online in response to a freedom of information request. Our investigation has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.

John Edwards, UK Information Commissioner, said:

“The sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm – and show how damaging poor data security can be.

“Throughout our investigation, we heard many harrowing stories about the impact this avoidable error has had on people’s lives – from having to move house, to cutting themselves off from family members and completely altering their daily routines because of the tangible fear of threat to life.

“And what’s particularly troubling to note is that simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident, which has caused untold anxiety and distress to those directly affected as well as their families, friends and loved ones, did not happen in the first place.

“I am publicising this potential action today to once again highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.”

In September 2023, following the report from the PSNI and reports of a number of other high-profile personal data breaches, the Commissioner issued an advisory notice which provided recommendations public authorities should adopt to ensure personal information is not inappropriately included as part of a freedom of information response.

Recognising that public money is best used to support the delivery of essential services, the Commissioner used his discretion to apply the public sector approach when calculating the PSNI provisional fine amount. The aim of the approach is to ensure public money is not diverted away from where it is needed most, while maintaining the right to issue fines in the most serious of cases. Had the public sector approach not been applied, this provisional fine would have been set at £5.6 million.

PSNI has also been issued with a preliminary enforcement notice, requiring the Service to improve the security of personal information when responding to FOI requests.

The Commissioner’s findings are provisional, and he will carefully consider any representations PSNI make before making a final decision on the fine amount and the requirements in the enforcement notice.