The Police Service of Northern Ireland (PSNI) accidentally shared details of 10,000 employees last week. It also confirmed an earlier breach from July 2023.
The surname and first initial of every employee, their rank or grade, where they are based and the unit they work in, including sensitive areas such as surveillance and intelligence, were included. In some instances, this detail was highly sensitive, particularly for individuals working in intelligence or covert operations.
Information about a second data breach, involving the theft of a spreadsheet with the names of 200 officers and staff, also emerged. The PSNI said documents, along with a police-issue laptop and radio, were believed to have been stolen from a private vehicle in Newtownabbey, County Antrim, on 6 July.
The police have since confirmed they have wiped both of those devices remotely and are confident that information they contained would not be accessible by a third party.
All of this information however, was published online, and available for 2½ to three hours before the mistake was identified and it was removed from the site, though by that stage it was already circulating.
Almost 2,000 officers are considering taking legal action in the wake of the breaches,
Key Points
- The data was provided in error in a PSNI response to a Freedom of Information (FoI) request by a member of the public who asked for statistical information on the total PSNI strength and how many officers of each rank.
- The response was published on an FoI website, but with it was the “source data”, a separate tab which, when clicked, revealed a spreadsheet containing the additional detail.
- More than 1,200 staff have raised concerns about the security breaches with the PSNI.
Action Required
- Organisations should review and update their policies and procedures regarding Freedom of Information requests and provide appropriate guidance to staff to ensure that appropriate checks and balances are in place to protect sensitive data.
- Organisations should also remind staff of their responsibilities to ensure the security of personal devices containing personal identifiable data.
For further discussion and support, including data protection awareness training services please email dpa@tiaa.co.uk