Following the significant breach, which saw the personal details of 9,483 PSNI police officers and staff accidentally published on a public website following a legitimate Freedom of Information (FOI) request, the PSNI and the NIPB requested an independent peer review of the matter.
A team led by NPCC Information Assurance lead, and City of London Police T/ Commissioner, Peter O’Doherty, was commissioned to conduct the review.
Yesterday, the Protecting From Within review was published.
In his report, Mr O’Doherty described the incident as “the most significant data breach that has ever occurred in the history of UK policing”, adding that it should serve as “a wake-up call for every force across the UK to take the security of data as seriously as possible”.
The surnames, first initials, rank, location and unit (among other details) of the PSNI officers and staff were visible for around two-and-a-half hours online before they were removed.
“The volume of data managed, processed, and stored by policing is vast and continues to increase, both in terms of volume and complexity. Furthermore, policing holds the most sensitive of data and information and so it is essential that all police forces foster a robust and highly committed approach to data and information management and security, and ensure we have the leadership, governance, structures, and systems in place to protect the institution of policing and everyone who is part of it and effected by it.
“I have presented the findings of the report to both the PSNI and the NIPB. This report not only services to highlight how the breach occurred, but also provides 37 clear recommendations that will help the PSNI evolve in its leadership of all data protection, information management, and security.
“It is important to recognise that many of these recommendations will need to be considered by every police force in the UK, so that we collectively work to improve how our data is protected and safeguarded.”National Police Chiefs’ Council Information Assurance lead, and City of London Police T/ Commissioner, Peter O’Doherty
‘Many factors’ involved
Mr O’Doherty’s report said the breach was not “a result of a single isolated decision, act, or incident by any one person, team, or department. It was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way”.
The report also noted that, “at the time of the incident, these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI”.
One officer resigned citing the impact of the breach, while 50 others have gone on sick leave. Furthermore, officer and staff mental health has worsened, with some saying they are too frightened to visit friends and family. Staff association membership has also increased significantly as a direct result of the data breach
The incident contributed to the resignation of the PSNI chief constable, Simon Byrne, in September. His successor, Jon Boutcher, said the report showed “organisational failing”.
Download the full review for more information.
Image by Darwin Laganzon from Pixabay