One police officer moved home and there was one resignation from the Police Service of Northern Ireland (PSNI) following the unprecedented data leak in which personal and employment information on 10,000 employees was published online, according to a report published on Monday.
The review into the data breach on August 8th, which was carried out by the National Police Chiefs’ Council (NPCC), concluded insufficient prioritisation of data protection and information management and security was to blame.
“It was not the result of a single isolated decision, act or incident by any one person, team or department,” the report found.
“It was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.”
In a statement, the PSNI Chief Constable, Jon Boutcher, said its Senior Executive Team would now take time to consider the report and its recommendations, and would work with the Northern Ireland Policing Board on a “timeframe for the completion of relevant actions that have been identified”.
Outlining the impact of the leak, the report described it as the “most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland.”
Out of the 9,483 people whose information had been published online, more than 4,000 contacted the threat assessment group set up by the PSNI, and a “similar number” are thought to be part of a complaint to the Information Commissioner’s Office and a civil action against the force.
At the time of the review, the report said, “no-one had been moved for their safety, although one officer felt it necessary to relocate to keep themselves and their family safe.
“Some have temporarily relocated as the situation progresses and until they feel in a position of safety.”
Some would like to do so but are “without the financial means to do so, most particularly junior and younger personnel.
“One resignation has been received citing the impact, and [there were] over 50 reported sickness absence linked to the data breach at the time of the review visit to PSNI.”
At a media briefing on Monday, the lead author of the report, Claire Vickers-Pearson, said the figures were accurate when the review was carried out but “those numbers have increased.”
She said that as far as they were aware, “the actions taken are not in response to a credible threat [but as a review team] there may be information or intelligence that we don’t have access to.”
The report also noted that “officer and staff mental health in particular has worsened, and there are additional pressures on welfare services and line management,” with many unable to access support services “in a timely manner” and unable to afford private healthcare.
“It has been reported that many have been unable to access public wellbeing and mental health support services in a timely manner when needed and cannot afford access to private health services,” it said.
The report published on Monday was an independent peer review of the data breach commissioned by the PSNI and Northern Ireland Policing Board, and led by the NPCC Information Assurance lead and T/ Commissioner of the City of London Police, Pete O’Doherty.
Its brief was to investigate the processes and actions that led to the breach and any organisational, management or governance factors that allowed to occur, to identify changes required to prevent further data leaks and to restore confidence in the PSNI’s approach to information security.
Though noting this was not within its remit, the review said the PSNI “should be alive to the possibility of a significant monetary penalty.” This could run to between 24 and 37 million pounds.
Separate investigations by the PSNI and the Information Commissioner’s Office are ongoing.
The review made 37 recommendations grouped under four “key areas” for improvement: Fragmented, inconsistent, and excessive documentation, with lack of clarity and understanding of roles and responsibilities; Demand management of internal Freedom of Information (FoI) requests; Guidance on the extraction, minimisation and anonymisation of data; Training and awareness.