It looks like the Police Service of Northern Ireland (PSNI) personal data breach was caused by including excess information in a Freedom of Information request response. According to reports, the source data was included as well as the summary data that the requester asked for. That’s an easy mistake to make, so it’s particularly important to ensure there are good controls in place.
In this case, reports suggest that the error was identified fairly quickly and the personal data file was removed within an hour. However it doesn’t take long for this kind of information to be accessed and potentially copied. In 2019 there was a somewhat similar breach, where excess personal data was published by the Cabinet Office along with the New Year’s Honours list. According to the ICO, in the 2 hours and 21 minutes this was available online, it was accessed 3,872 times.
In my opinion, requests for information under the Freedom of Information Act and data protection legislation should always be treated as potential personal data breaches and handled very carefully. They are designed to result in the provision of information that wasn’t previously accessible outside the organisation. It’s really important that organisations handling these requests carry out a risk assessment and consider what kinds of technical and organisational safeguards need to be put in place before the response is provided.
In a case like this, where the personal data related to police officers and there is a known threat to those individuals, sensible controls could have included using business information systems that can create the summary statistics without allowing the underlying data to be extracted from the database, and checking that only summary information was included in the file for publication on the website.