PSNI: Data breach 'wake-up call' for UK forces, review says

A major data breach within the Police Service of Northern Ireland (PSNI) has been described as "a wake-up call" for forces across the UK.

A report into the data leak has made 37 recommendations for improving information security within the PSNI.

In August, the surnames and initials of all the PSNI's 9,500 staff were released by mistake.

Police later confirmed that the information was in the hands of dissident republicans, among others.

The PSNI and the Policing Board commissioned an independent review of the incident - which was carried out by Pete O'Doherty, temporary commissioner of the City of London Police.

His report, which was published on Monday, said the leak was "a wake-up call for every force across the UK to take the security of data as seriously as possible".

The PSNI released the information in the form of a vast data spreadsheet, which was attached in error to a Freedom of Information (FoI) request asking for a breakdown of staff roles.

It was then published on an FoI website, where it was viewable for two-and-a-half hours before the police had it removed.

It included details of where people worked and their roles.

Mr O'Doherty's report said the leak was "not the result of a single isolated decision or act by one person, team or department".

"It was the consequence of many factors, and fundamentally a result of [the] PSNI not seizing opportunities to better and more proactively secure and protect its data," the report added.

"At the time of the incident, these factors had not been identified by risk management or scrutiny mechanisms, internal or external."

Current Chief Constable Jon Boutcher said the report "was difficult reading but I accept and indeed embrace the learning within it".

"As the report shows, no individual, team, department, decision or act caused this breach - this is an organisational failing, an accumulation of issues," he said.

He said every PSNI officer and staff member would be offered a one-off payment of £500 to help with home security measures following the data leak.

"Because of the support of the Department of Justice and the Secretary of State, we are able to make that offer," he told a news conference.

"It has yet to be finalised. I want to make sure we provide them with the reassurance they deserve.

"We need to show them that we support them.

"For what is required for most people, it will be sufficient around some cameras and security measures that they would want."

"We must take responsibility as a leadership team for this and prioritise information security in our day to day business."

The FoI request was answered by the PSNI's human resources department.

An individual within the department did not remove a hidden tab containing the spreadsheet of raw data used to compile the FoI response.

The tab was visible as three dots, and was also missed by others.

Some of the report's recommendations deal with how FoI requests are handled, including file formats.

There also needs to be "clarity [as] to who has responsibility for data sign off", it said.

The Police Federation for Northern Ireland, which represents rank and file officers, warned it would cost millions of pounds to address the deficiencies which led to the breach.

Mr Kelly said given the PSNI already had a significant budget deficit, it would be "impossible for any of these costs to be absorbed by the service, either now or in the future".

He said there was an onus on the UK government to allocate funding to implement the report's recommendations.

The Catholic Police Guild of Northern Ireland said staff "need and deserve to feel safe", external because "nobody should be unable to visit their families, friends and places of worship, especially at this time of year".

The PSNI apologised at the time for what was described by senior officers as a "major data breach".

It caused considerable concern among PSNI officers and staff, who face a continuing threat from paramilitaries and must be extremely vigilant about their personal security.

In September, MPs were told that the breach could cost the service up to £240m in extra security for officers and potential legal action.

Mr O'Doherty's report said that following the leak, more than 4,000 PSNI staff contacted the organisation's threat assessment group.

One officer "felt it necessary to relocate" and others did so "temporarily", the report revealed.

"The review team heard of officers and staff now too frightened to visit friends or family, who have withdrawn from social aspects of their lives and who fear visiting their place of worship," it added.

The report described "the potential" for operational consequences for the force as high.

"With recruitment and retention already problematic, especially amongst certain communities, this incident is unlikely to provide confidence to those wanting to become part of the service but fearing identification," it added.

"There is a risk to the free flow of intelligence, the lifeblood of policing, if those providing it cannot be reassured that they can do this in confidence."

The data breach contributed to the resignation of the chief constable at the time, Simon Byrne.

He stood down in September, following increasing pressure - with Jon Boutcher subsequently appointed to the role.

Link

Earlier on Monday, he said the force had "already taken action" on one of the report's recommendations.

"The role of SIRO (Senior Information Risk Owner) has been elevated to the post of deputy chief constable.

"This will ensure that information security and data protection matters will be immediately visible to the deputy chief constable, chief operating officer and chief constable, and they can be afforded the support and attention they critically deserve."

He added: "The service executive team will now take time to consider the report and the recommendations contained within it.

"We will work with the Northern Ireland Policing Board to consider the implications of the report and a timeframe for the completion of relevant actions that have been identified."