The ICO has fined the Police Service of Northern Ireland (“PSNI”) £750,000 in what it has described as the “most significant data breach that has ever occurred in the history of UK policing”[1]. The ICO imposed the largest ever fine on a public body following the unauthorised disclosure of an Excel spreadsheet containing the personal data of 9,483 police officers and staff. Given the ICO’s stated policy for public authorities is for enforcement to act as a deterrent and to remedy data breaches through reprimands and enforcement notices, with the use of fines reserved for the most egregious cases, it is, at first glance at least, surprising to see the level of fine imposed. The fine comes with a word of warning to private sector data controllers that they would not have benefited from the reduction afforded to public sector enforcement and could have faced a fine of up to £17.5 million.
Background
On 3 August 2023, the PSNI received two Freedom of Information (FOI) requests from the website WhatDoTheyKnow (WDTK) requesting details of the number of officers and staff at each rank or grade. This data was compiled by the PSNI’s Workforce Planning Team by downloading and editing existing HR Excel spreadsheets. After preparation, the responsive spreadsheet was sent to the Head of the Workforce Planning Team for quality assurance checks. Once reviewed, it was forwarded to the FOI Decision Maker, who chose to disclose the Excel file in its original format rather than convert it to a Word document, due to technical issues.Continue Reading Data Breaches and Spreadsheets: How to Avoid Fines When Excelling