Personal Data Breaches, PSNI & Employer’s Legal Responsibilities
10/08/2023
PERSONAL DATA BREACHES, PSNI & EMPLOYER’S LEGAL RESPONSIBILITIES
The PSNI personal date breach of 8 August 2023 was rightly reported as headline news. The personal data discloses included the names of all serving polices officers and staff that were reportedly published online and available to the public for a 2 ½ hour period between 14.30 -17.00 hour on that date.
It is reported that the breach occurred as part of a response to a Freedom of Information request and from all accounts appears to have been a human error.
This is a huge a security issue for any business but of grave concern for the PSNI, in which there is a potential risk to life as a result of the breach.
There will be many questions to be answered by the PSNI as to how the breach occurred and what systems it had in place to prevent such breaches and deal with them when they occur. The PSNI has already stated that some improvements have been identified to prevent a similar breach occurring again. It is a timely reminder to all business to check their policies and procedures that apply in circumstances of a personal data breaches and audit their processes /systems again to minimise the risk of human error cauing a breach.
How employers respond if and when a personal data breach occurs? The action taken should include the following:
- For the PSNI this breach is one that must be reported to the ICO within 72 hours as it is “likely to present a risk to the rights and freedoms of individuals.”
An internal record should also be made of the breach.
The ICO Guide (see below) provides details about when a report should be made and what information should be included in any report.
- PSNI should also be contacting all persons named without undue delay, which the news is reporting they have done. The communication should include guidance on what the person can do to protect their personal data.
- We know that the information has been removed and again in similar circumstances employers should take steps to ensure the information i deleted, if possible. We have seen PSNI publicly announcing the breach and asking persons to delete the information if they have it and that they are continuing their investigation into how wide the breach was.
- Organisations need also consider notifying other parties affected such as customers.
- PSNI would be expected to have a process and/or policy setting what they should do in the event of a personal data breach. Indeed, it is a good time for Organisation to examine their investigation and internal reporting procedures that they have in place for when breaches occur. see ICO ‘Preparing for a personal data breach”.
- Importantly, the ICO will also want to examine the processes and protections the Organisations had in place to prevent the breach in first place.
In this scenario, in time you might expect the ICO to use its powers to issue a penalty notice, enforcement notice, information notice etc.
The ICO Personal Data Breaches Guide explains employer’s responsibilities if they find themselves in similar circumstances. The Guide covers:
- What is a personal data breach?
- Risk-assessing data breaches
- When do we need to tell individuals about a breach?
- What information must we provide to individuals when telling them about a breach?
- What breaches do we need to notify the ICO about?
- What role do processors have?
- How much time do we have to report a breach?
- What information must a breach notification to the ICO contain?
- What if we don’t have all the required information available yet?
- How do we notify a breach to the ICO?
- Does the UK GDPR require us to take any other steps in response to a breach?
- What else should we take into account?
- What happens if we fail to notify the ICO of all notifiable breaches?
The Guide is very user friendly; any Company will any concerns or queries should contact the Legal Team.