As we discussed in our article in July, the ICO has adopted an approach of moving away from fines for public sector organisations which are found to have breached data protection laws. The ICO has previously set out that a fine for the public sector will only be applicable in the most egregious of circumstances.

It seems that the ICO considers that the personal data breach by the Police Service of Northern Ireland in August 2023 meets that more serious level. We first wrote about this breach in 2023, when in response to a Freedom of Information Request (FOI) from a member of the public, PSNI accidentally provided a spreadsheet containing the personal data of more than 10,000 officers. This personal data included names, rank, unit details and work location. The spreadsheet was published on a legitimate FOI website for around two hours, during which time it was available to the public, before it was removed. This was an extremely distressing incident for the affected employees of PSNI.

Having investigated, and considering the complaints made by affected individuals, the ICO has issued a fine of £750,000. While a large fine, the PSNI has still benefitted from its public body status, as otherwise, the fine would have been £5.6 million. The ICO did not issue an enforcement notice, as it appears to have been reassured that the PSNI had taken appropriate steps to prevent a similar incident in future.

This provides some comfort to public sector organisations to know that their unique position will be factored into any decision by the ICO; however while it gives comfort this should not lead to complacency.  As this case shows, simple errors or mishandling of personal data can have a huge effect on an organisation and its employees. There is a cost to the business of responding to an ICO investigation, including external legal and forensic support, as well as internal resource. There is also a real risk of subsequent litigation from affected data subjects, who may be motivated by an adverse ICO decision, even where there is no fine. There is also, importantly, the human cost – to the affected data subjects, and to staff who have to manage the aftermath of a cyber attack.

Organisations should regularly review and challenge their internal processes to ensure personal data is protected, even when balancing the need for disclosure by FOI or another regime. Its also important to be prepared so that an organisation can be responsive to a breach and take speedy remedial action.  In order to assist public authorities, there is ICO guidance with recommendations public authorities should adopt to ensure personal information is not disclosed in FOI or other statutory responses. There is also more detailed guidance on disclosure and a checklist before disclosure.

At Burness Paull, our expert cyber and data protection team understand how challenging and disruptive data breaches can be to businesses and the consequences that can flow from them. Whatever the nature, size or stage of the issue, we can help clients to manage their response or, importantly on preventative strategies to mitigate the risk of a breach occurring.

Related News, Insights & Events