Police Service of Northern Ireland (PSNI) – €87,750 Fine (United Kingdom, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Police Service of Northern Ireland (PSNI, the controller) managed an extensive database containing personal data on police officers and staff of the PSNI. The workforce data included (for all officers and staff who were in post, suspended or on a career break): surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. The PSNI regularly responds to freedom of information requests and draws from this database in order to fulfil these requests. Processing of personal data of PSNI officers and staff took place whenever workforce data downloaded from the PSNI human resources management system was analysed in Excel to prepare information to be disclosed in response to freedom of information requests. On 8 August 2024, an unauthorised disclosure of the personal data of all PSNI police officers and staff, occurred when a spreadsheet released in response to a freedom of information request was published on the website called “whatdotheyknow.com”. The excel database consisted of several sheets and a hidden sheet erroneously contained the personal data on PSNI staff. This sheet was not deleted before uploading the excel file to the website. The ICO determined that between 25 May 2018 (the date of commencement of the application of the GDPR) and 14 June 2024 the PSNI infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR. The ICO explains that the breach could have materialised at any point during this lengthy period. The processing of the personal data was not carried out in a manner that ensured appropriate security of the data through using appropriate technical and organizational measures such as training for administrative staff. The ICO states that the PSNI ought to have known that spreadsheet files are prone to hidden data (and therefore human error) and that the training provided to employees to prevent this, was insufficient. The prolonged duration and the severity of the data breac
National Law Articles
The Police Service of Northern Ireland (PSNI, the controller) managed an extensive database containing personal data on police officers and staff of the PSNI. The workforce data included (for all officers and staff who were in post, suspended or on a career break): surnames and first name initials, job role, rank/grade, department, location of post, contract type, gender and PSNI service/staff number. The PSNI regularly responds to freedom of information requests and draws from this database in order to fulfil these requests. Processing of personal data of PSNI officers and staff took place whenever workforce data downloaded from the PSNI human resources management system was analysed in Excel to prepare information to be disclosed in response to freedom of information requests. On 8 August 2024, an unauthorised disclosure of the personal data of all PSNI police officers and staff, occurred when a spreadsheet released in response to a freedom of information request was published on the website called “whatdotheyknow.com”. The excel database consisted of several sheets and a hidden sheet erroneously contained the personal data on PSNI staff. This sheet was not deleted before uploading the excel file to the website. The ICO determined that between 25 May 2018 (the date of commencement of the application of the GDPR) and 14 June 2024 the PSNI infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR. The ICO explains that the breach could have materialised at any point during this lengthy period. The processing of the personal data was not carried out in a manner that ensured appropriate security of the data through using appropriate technical and organizational measures such as training for administrative staff. The ICO states that the PSNI ought to have known that spreadsheet files are prone to hidden data (and therefore human error) and that the training provided to employees to prevent this, was insufficient. The prolonged duration and the severity of the data breac
Related Enforcement Actions (0)
No other enforcement actions found for Police Service of Northern Ireland (PSNI) in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 September 2024
Authority
Information Commissioner's Office
Fine Amount
€87,750
75,000 GBP
GDPRhub ID
gdprhub-8377About this data
Cite as: Cookie Fines. Police Service of Northern Ireland (PSNI) - United Kingdom (2024). Retrieved from cookiefines.eu
Last updated: