Police data breaches during Freedom of Information Act responses
17 August 2023
The police unfortunately find themselves in the headlines and under scrutiny again, and this time it is closer to home. Norfolk and Suffolk Police forces have jointly reported that the personal data of 1,230 data subjects, including victims and witnesses, was erroneously provided in response to Freedom of Information Act (FOIA) requests between April 2021 and March 2022.
The FOIA provides a right of access to a wide range of information held by public authorities, including the police. The purpose of the legislation is to promote greater openness and accountability by public authorities.
In a joint statement, the police confirmed that the identifiable information was “not obviously visible”, and that the recipient would have needed to know how to access the information which consisted of raw data files relating to crime reports. It is unclear whether risks remain to the rights and freedoms of the data subjects as a result of the incidents, which are being investigated by the Information Commissioner’s Office (the UK’s independent body set up to uphold information rights).
The Police Service of Northern Ireland (PSNI) is also currently under investigation following the potentially extremely serious data breach which occurred when they responded to a FOIA request and included personal data identifying 10,000 officers and staff. Unfortunately, this response, which included data revealing the surname, initial, the rank or grade, the location and the departments for all current employees across the police service was published online for a period of between two and three hours.
Whilst such limited data in other circumstances may have resulted in little or no risk to those individuals involved, it is clear why there are serious concerns in this case.
The level of risk to those involved is currently unknown, although with the disclosure of names along with rank, locations and departments it not only identifies those data subjects, but also enables assumptions to be made as to previous cases they have worked on. In a region known for turbulent times, where a terrorist threat is deemed severe and, as reported by Sky news, “where dissident Irish Republican groups like the self-styled new IRA consider officers of the crown as legitimate targets”, it is no wonder that a risk has been identified and the matter reported to the ICO.
It appears that the PSNI acted swiftly in taking remedial action and notifying the ICO of this data breach, however it has been reported that the police data has already been accessed by those who may wish to cause them harm.
Data breach actions
For most private and public sector organisations the following steps are recommended following a data breach*:
- If you are not the data controller, make the data controller aware of the incident without delay.
- As a data controller you should have suitable agreements in place with data processors to ensure their compliance and assistance in managing an incident. If the breach has occurred through your processor, engage their help in investigating the circumstances and risks.
- Complete a careful risk assessment of the data breach, considering the number of data subjects affected, the types of data disclosed and how it could result in a risk to the rights and freedoms of those data subjects affected. You should already have procedures and standard documents in place to be prepared for an incident.
- Take steps to mitigate the risk, such as removing data from a website, or ensuring the return of mis-sent data.
- Where a risk remains to individuals, report the incident to the ICO within 72 hours.
- If there is a high risk to individuals as a result of the data breach those individuals must also be informed.
- Keep records of all incidents, whether reportable, or not.
Potential consequences
Reputational damage
It seems that the PSNI incident has severely impacted the trust in the police force by its own police officers and staff, some of whom have moved out of their homes overnight and are now living in fear of repercussions.
The PSNI incident, the Norfolk and Suffolk incidents and other recently reported police data breaches could also affect public confidence and trust in the police.
Internal costs
A considerable amount of time and effort will have been incurred to internally investigate and identify the cause of the incident, to take steps to reduce the risks to the data subjects and thereafter to implement more robust internal procedures to ensure it does not happen again.
Fines
Following the PSNI incident the ICO indicated: “This incident raises serious concerns as it shows how even the smallest of human errors can have major consequences … [and] … demonstrates just how important it is to have robust measures in place to protect personal information, especially in a sensitive environment”.
The ICO has also indicated that they are investigating the Norfolk and Suffolk Police force incidents, along with another data breach reported by them in November 2022.
Since June 2022 the ICO has sought to reduce the impact of fines on the public sector, using warnings, reprimands, and enforcement notices where possible. They are therefore unlikely to issue a fine at the highest level available to them (£17.5 million or 4% of an organisation’s annual worldwide turnover, whichever is highest), however they have confirmed that they will issue fines to public authorities in the most serious cases.
Compensation claims
The UK General Data Protection Regulation provides a right for data subjects to claim compensation for both ‘material damage’ (i.e. monetary loss) and ‘non-material damage’ (i.e. distress). It is likely that the police will face claims for compensation following these incidents, particularly the PSNI where data subjects are in fear for their safety.
It has been reported that the overall cost in relation to the PSNI data breach could run into tens of millions of pounds and of course that is money which is better spent on catching criminals and reducing levels of crime.
If you require any further information in relation to this article, please contact a member of the Birketts Data Protection Team.
*There are separate data protection requirements for communications service providers, intelligence services and those processing for national security purposes.
Services
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at August 2023.