Data protection has been in the headlines this week after the Police Service of Northern Ireland (PSNI) suffered a large-scale data breach on 8 August 2023 in which the names, locations, and roles of 10,000 staff and police officers were shared on the internet. The data breach occurred after an error was made when responding to a Freedom of Information request (FoI). 

A FoI request was made to PSNI which asked for information about the number of officers at each rank and the number of staff at each grade across the PSNI. A spreadsheet which included the number of staff was then provided to the requester, however, this spreadsheet was embedded with additional data, including the surname, initial, the rank or grade, the location and the department for all current employees. The spreadsheet was then published on a FoI website known as ‘What Do They Know’.  It was removed as soon as the PSNI became aware of it, which was two hours later. 

The Data Protection Act 2018 and the UK GDPR (collectively known as the Data Protection Legislation) requires appropriate technical and organisational measures to be in place to protect personal data and requires organisations to ensure compliance with the relevant data protection principles. 

The Information Commissioner, John Edwards, said that the PSNI incident demonstrates “just how important it is to have robust measures in place to protect personal information, especially in a sensitive environment”. 

This data breach comes shortly after the UK Electoral Commission announced that it had been the subject of a cyber attack after hackers accessed reference copies of the electoral registers which contained names and addresses of anyone registered to vote between 2014 and 2022, as well as overseas voters (around 40 million people). 

Both of these incidents are still being investigated, and the ICO is working with the PSNI and UK Electoral Commission to establish the level of risk, however, both breaches could potentially have serious consequences. For example, some officers whose data was involved in the PSNI breach have reportedly had to move out of their homes, and are worried about the safety of themselves and their families.

What is a data breach?

A personal data breach means a breach of security of personal data which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach can take place whether the incident happens accidently (for example the PSNI breach), or deliberately (for example the UK Electoral Commission breach).

The Data Protection Legislation imposes a duty on organisations to report data breaches which are likely to result in a risk to the rights and freedoms of individuals to the Information Commissioners Office (ICO). Reports must be made within 72 hours of becoming aware of the breach, and without undue delay.  On some occasions, it may also be necessary to inform the data subjects involved. 

What does this mean for businesses? 

It is clear from the PSNI breach how important it is that organisations have procedures in place to ensure that FoI requests (and data subject access requests) are dealt with correctly and there are checks in place to ensure that the correct data is provided and is adequately protected.

Organisations also need to ensure they have a Breach Notification Policy in place to ensure all staff members know what to do if a data breach occurs, especially given the timescales to report the breach to the ICO, if it is reportable. It is also important that staff receive the appropriate training to mitigate the risk of a data breach occurring in the first place. Training should include information on how to recognise a data breach, how to report a breach and how to protect data to avoid a data breach. 

It is also important to keep a record of all breaches whether they are reportable or not in case any further action is need in the future.  This will also help the organisation to demonstrate its compliance with the accountability principle under the Data Protection Legislation. 

We are often asked to assist in relation to data breaches, and if your organisation needs help with navigating a data breach, or if your organisation would like any training on data breaches, you can contact Emma Loveday-Hill directly at elovedayhill@prettys.co.uk or join our data protection hub for our latest legal updates, articles and invitations to our exclusive events at https://www.prettys.co.uk/join-data-protection-hub .

11th August 2023