Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Outdated approach to data contributed to major PSNI breach, report finds

Policing Board chairwoman Deirdre Toner and PSNI Chief Constable Jon Boutcher speaking to the media following the release of the findings of the review (Liam McBurney/PA)
Policing Board chairwoman Deirdre Toner and PSNI Chief Constable Jon Boutcher speaking to the media following the release of the findings of the review (Liam McBurney/PA)

A major PSNI data breach was fundamentally the consequence of the police force not seizing opportunities to secure and protect its internal information, an independent review has concluded.

The review headed by Pete O’Doherty, temporary commissioner from the City of London Police, said a “siloed approach” to information management functions was also a strong contributory factor.

The report, which has made 37 recommendations, said structures within the force for dealing with data are “outdated”.

It also dealt with the impact the leak has had on the PSNI, stating that more than 4,000 officers and staff have contacted a threat assessment group, with a similar number involved in potential legal action.

PSNI data breach
Simon Byrne was PSNI chief constable when the data breach took place (Liam McBurney/PA)

In August the details of almost 9,500 PSNI officers and staff were mistakenly published in response to a Freedom of Information (FoI) request.

The list included the surname and first initial of every employee, their rank or grade, where they are based and the unit in which they work.

Police later said the information is in the hands of dissident republicans.

The PSNI has indicated that the data breach could potentially cost the force £240 million in security and legal costs

The controversy contributed to the resignation of then chief constable Simon Byrne and led the PSNI and Policing Board to commission the review.

In the report, Mr O’Doherty said: “This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland, and therefore the actual, or perceived, threats towards officers, staff, and communities.”

In its findings, the report concluded: “It is now evident that the breach that occurred was not a result of a single isolated decision, act, or incident by any one person, team, or department.

“It was a consequence of many factors and, fundamentally, a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.

“At the time of the incident these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI.

“This failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions, have been strong contributory factors to the breach.”

The report added: “Data and security are everyone’s business and need to be managed and nurtured in the same way as people and financial resources.”

It continued: “The need to better prioritise data, information and cyber security is not recognised at a strategic level or adequately driven by executive leaders.

“There is no force programme or strategy.

“Information asset owners (IAOs) are inconsistent. As such, there is an insufficient response at tactical and operational levels.

Policing Board chairwoman Deirdre Toner
Deirdre Toner, chairwoman of the Policing Board which commissioned the independent review alongside the PSNI (Liam McBurney/PA)

“Structures are outdated, siloed, and require better co-ordination with resource allocation to these areas of business not reflecting their importance.

“It is no surprise therefore that associated policies, processes, practices, training and attitudes, where they do exist, are not effectively adapted and remain too generic.”

The report has made a number of recommendations, including the creation of a specialist role akin to chief data officer to oversee and co-ordinate data functions.

Mr O’Doherty said the findings of the report will also be of interest to other police forces in the UK.

The report said seven PSNI staff members were involved in dealing with the FoI response before the information was published online.

On the impact of the leak on the force, it said: “Of the 9,483 people involved, over 4,000 proactively contacted the threat assessment group set up by PSNI as a means of support and information.

“A similar number are thought to be part of a complaint to the ICO (Information Commissioner’s Office), and a civil action against the force.”

It added that, at the time the review was carried out, no officers or staff members had been moved for their safety, although one officer has relocated.

It said some officers have temporarily relocated and others expressed a desire to relocate, but were unable to due to financial reasons.

It said there has been one resignation and more than 50 sickness absences linked to the data breach.

The report said: “The review team heard of officers and staff now too frightened to visit friends or family, who have withdrawn from the social aspects of their lives, and who fear visiting their place of worship.”

It continued: “The potential for operational consequences for the force is high.

“With recruitment and retention already problematic, especially amongst certain communities, this incident is unlikely to provide confidence to those wanting to become part of the service but fearing identification.”

PSNI new chief constable
PSNI Chief Constable Jon Boutcher (Liam McBurney/PA)

Responding to the report, PSNI chief constable Jon Boutcher said: “The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organisation not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.

“The service executive team will now take time to consider the report and the recommendations contained within it.”