Outdated approach to data contributed to major PSNI breach, report finds

A MAJOR PSNI data breach was fundamentally the consequence of the police force not seizing opportunities to secure and protect its internal information, an independent review has concluded.

The review headed by Pete O’Doherty, temporary commissioner from the City of London Police, said a “siloed approach” to information management functions was also a strong contributory factor.

The report, which has made 37 recommendations, said structures within the force for dealing with data are “outdated”.

It also dealt with the impact the leak has had on the PSNI, stating that more than 4,000 officers and staff have contacted a threat assessment group, with a similar number involved in potential legal action.

In August the details of almost 9,500 PSNI officers and staff were mistakenly published in response to a Freedom of Information request.

The list included the surname and first initial of every employee, their rank or grade, where they are based and the unit in which they work.

Police later said the information is in the hands of dissident republicans.

The PSNI has indicated that the data breach could potentially cost the force £240 million (€280.5 million) in security and legal costs

The controversy contributed to the resignation of then chief constable Simon Byrne and led the PSNI and Policing Board to commission the review.

In the report, O’Doherty said: “This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland, and therefore the actual, or perceived, threats towards officers, staff, and communities.”

In its findings, the report concluded: “It is now evident that the breach that occurred was not a result of a single isolated decision, act, or incident by any one person, team, or department.

“It was a consequence of many factors and, fundamentally, a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.

“At the time of the incident these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI.

“This failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions, have been strong contributory factors to the breach.”

The report added: “Data and security are everyone’s business and need to be managed and nurtured in the same way as people and financial resources.”

It continued: “The need to better prioritise data, information and cyber security is not recognised at a strategic level or adequately driven by executive leaders.

“There is no force programme or strategy.

“Information asset owners (IAOs) are inconsistent. As such, there is an insufficient response at tactical and operational levels.

“Structures are outdated, siloed, and require better co-ordination with resource allocation to these areas of business not reflecting their importance.

“It is no surprise therefore that associated policies, processes, practices, training and attitudes, where they do exist, are not effectively adapted and remain too generic.”

The report has made a number of recommendations, including the creation of a specialist role akin to chief data officer to oversee and co-ordinate data functions.

O’Doherty said the findings of the report will also be of interest to other police forces in the UK.

The report said seven PSNI staff members were involved in dealing with the FoI response before the information was published online.

On the impact of the leak on the force, it said: “Of the 9,483 people involved, over 4,000 proactively contacted the threat assessment group set up by PSNI as a means of support and information.

“A similar number are thought to be part of a complaint to the ICO (Information Commissioner’s Office), and a civil action against the force.”

It added that, at the time the review was carried out, no officers or staff members had been moved for their safety, although one officer has relocated.

Some officers have temporarily relocated and others expressed a desire to relocate, but were unable to due to financial reasons.

There has been one resignation and more than 50 sickness absences linked to the data breach.

The report said: “The review team heard of officers and staff now too frightened to visit friends or family, who have withdrawn from the social aspects of their lives, and who fear visiting their place of worship.”

It continued: “The potential for operational consequences for the force is high.

“With recruitment and retention already problematic, especially amongst certain communities, this incident is unlikely to provide confidence to those wanting to become part of the service but fearing identification.”

Responding to the report, PSNI chief constable Jon Boutcher said: “The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organisation not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.

“The service executive team will now take time to consider the report and the recommendations contained within it.”