THE POLICE SERVICE of Northern Ireland (PSNI) is reeling after a major data breach which meant detailed information about its employees was potentially viewable to the public for several hours.
The surname, initial, rank or grade and work location of all current officers and civilian staff had been accidentally published in response to a Freedom of Information request.
Northern Ireland Secretary Chris Heaton-Harris said he is “deeply concerned” by the breach, while the Police Federation for Northern Ireland (PFNI), which represents rank-and-file staff, said its members are “appalled”.
Here’s what happened, why it’s a major concern for the PSNI and what the response has been.
Last night, a PSNI statement said that it was investigating a data breach that had “resulted from information included in error in response to a Freedom of Information Request”.
In the published response to the request a table was embedded that contained the rank and grade data, but also included detailed information that attached the surname, initial, the location and the departments for all employees of the PSNI, but not their home addresses.
Both officers and civilian staff were affected. The data was potentially public for between 2.5 and three hours.
The PSNI said it was investigating the breach and apologised to those affected. It has declared the breach as a critical incident.
The force’s Senior Information Risk Owner, Assistant Chief Constable Chris Todd, said in a statement: “We have informed the organisation to make our officers and staff aware of the incident, appreciating the concern that this will cause many of our colleagues and families. We will do all that we can to mitigate any such concerns.
“The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.
“The information was taken down very quickly. Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately.
Addressing the media in Belfast yesterday, Todd apologised to officers for the “unacceptable” breach.
He said that once it was brought to the PSNI’s attention it was taken down “quickly”, and that early indications were that this was a “simple human error”.
Todd also said there were no immediate security concerns, but they were monitoring the situation.
The incident was first reported by the Belfast Telegraph, which reported that it viewed the uploaded material after it was contacted by a relative of a serving officer.
Apart from the person who released the information, the PSNI was unaware the information had been released until they saw it on a website.
The PSNI publishes information released under Freedom of Information. In both the UK and Ireland, the public has the right to request recorded information held by public authorities.
Members of the public may make these requests so they can access their own personal data, or information that is relevant to, say, the area where they live. Freedom of information is often used by journalists to access information that is available to the public but not readily available.
According to the UK’s Information Commissioner’s Office, there are several instances where personal information will need to be redacted from information before it is released under FOI, including when disclosing third party personal data would breach data protection principles.
The PSNI has not said who made the request.
Police in Northern Ireland are under threat from terrorists, with the current assessed level of threat at severe, meaning an attack is highly likely.
Speaking to the media yesterday, Todd said: “We operate in an environment at the moment where there’s a severe threat to our colleagues from Northern Ireland-related terrorism and this is the last thing that anybody in the organisation wants to be hearing this evening.
In February, senior detective John Caldwell was seriously injured when he was shot by gunmen at a sports complex in Co Tyrone.
Responsibility for the attack was later claimed by the dissident republican group the New IRA.
The group has been linked to two attacks in recent years, including the planting of a bomb under a policewoman’s car in April 2021.
Earlier this year, Chief Constable Simon Byrne said he receives briefings almost every day about plots to attack and kill his officers, adding that the ongoing threat from dissident republicans remains a “real worry”.
Byrne is understood to be on holiday, but has been informed of the data breach and is being kept updated.
Liam Kelly, chairman of the Police Federation for Northern Ireland which represents rank and file officers, told BBC Radio 4 today: “Our officers go to great lengths to protect their identities. Some of them don’t even tell their close friends and associates that they are actually in the police.”
He said: “People like myself and the senior management in police, it’s public knowledge that we are police officers, it’s public knowledge where we work, but there are a lot of officers in our service who don’t have that freedom available to them.”
He agreed that some might be working for the security services in MI5, adding: “There are a number of our officers who work in very sensitive roles. Roles where a veil of secrecy is required because of the nature and the danger associated with that role.”
Kelly said that legal action is “something we will consider once the investigation concludes” and that he is not willing to do a vote of no confidence in the chief constable “at this point”.
Police officers in Northern Ireland are “shocked, dismayed and basically angry” at the breach, he said.
“What my members and myself clearly need to hear from the PSNI is the steps that they intend to take to support not only our officers but their families.”
Northern Ireland Secretary Chris Heaton-Harris said he is “deeply concerned”.
Alliance leader Naomi Long, a former justice minister in the Northern Ireland Executive, said the PSNI data release was an “unprecedented breach”.
She said that “in some cases, in terms of their rank, it would disclose sensitive information about individuals” that would not have been available to the public – “if they’re undercover officers, if they’re involved in intelligence operations, and so on”.
She told RTE Radio: “It’s probably the most serious data breach that we have ever seen in some considerable time.”
DUP MLA for South Antrim, Trevor Clarke, a member of the Northern Ireland Policing Board, said they would look for answers when it meets tomorrow, and pinned some blame on Heaton-Harris.
“The Secretary of State has presided over a budget, which is the worst that the police have ever had – they’ve looked to reduce numbers at a time they should’ve been increasing numbers,” he told BBC Radio 4’s World Tonight.
A spokesman for the Information Commissioner’s Office said the PSNI “has made us aware of an incident and we are assessing the information provided”.
Additional reporting by PA
To embed this post, copy the code below on your site
have your say