On Thursday 10th August 2023, Members of the Northern Ireland Policing Board called an extraordinary meeting with the Chief Constable and members of his senior team to discuss the data breach that occurred on 8th August 2023 and which resulted in the details of 9483 officers and staff being placed in the public domain.
The Board’s primary focus at that meeting was on the immediate personal impact of the breach on the safety, welfare and human rights of the officers and staff affected and on the immediate steps being taken by PSNI to communicate with officers and staff to address their concerns. Members also discussed the urgent need for an end-to-end process review of information security management within the PSNI to provide assurance.
This breach, and the subsequent breaches, have damaged the reputation of the service and impacted the confidence of officers, staff and others in the service’s ability to protect personal information.
It is the role of the Board to hold PSNI to account, through the Chief Constable and his senior team. It is vitally important that confidence is restored in the service from within the officers and staff of PSNI, from the general public, including those who have direct contact with the service, particularly victims of crime and from partner agencies.
At the Policing Board meeting today (22nd August), the Board agreed the following essential steps were necessary to help rebuild trust and confidence in the PSNI, and provide assurance on the efficacy of PSNI policies and practices in place for handling personal data across the organisation.
The Board would also like to thank all those across the community who have privately and publicly expressed support and solidarity with the PSNI, and with the officers and staff affected. We also wish to record the Board’s continued support for officers and staff within the PSNI for the work they do on our behalf.
An Independent End to End Process Review
An independently led end-to-end process review of the circumstances surrounding the data breach incident of 8th August and others has been commissioned In order to provide confidence to PSNI officers and staff and assurance to the wider public that the underlying causes of the breach have been identified and addressed.
This Review, which will be led by Assistant Commissioner Pete O’Doherty the National Police Chief’s Council lead officer for Information Assurance, supported by a specialist team, is designed to:
- Understand (a) the processes and actions that led to the breach occurring and, (b) any organisational, management or governance factors that allowed that breach to occur;
- Identify any action required to prevent further data breaches, to build more robust future risk mitigation systems and to make any necessary improvements to information governance systems, policy, organisational practices, cultures and behaviours; and
- Restore confidence in the organisation's approach to information security management.
The review team have been tasked to have an initial report back to the Board within one month. A final report is expected by the end of November and will be made available for public release.
Reporting to the Board on Data Breaches and Remedial Action
These Data Breaches will be a standing agenda item on monthly public and private accountability sessions with the Chief Constable for as long as is necessary, so that progress on dealing with all the consequences from the breaches including support mechanisms and risk assessments for police officers and staff can be tracked and assessed.
The Chief Constable retains the confidence of the Board to lead the Service and the senior team in the wide-ranging programme of work which has been initiated to address all aspects of the data breaches to ensure appropriate support mechanisms are in place for police officers and staff. In addition, the arrangements set out below will inject crucial independence to help restore internal and external confidence in the Service’s handling of personal information.
The Board wants to reach a point where we can assure all PSNI officers and staff and the wider public that every step necessary has been taken to deal with the threats, risks and harms arising from this breach and that everything possible has been done to prevent a recurrence.
The Board will put in place monitoring arrangements to ensure effective implementation of the recommendations flowing from the end-to-end review.
Recognising the impact of the breaches on PSNI officers and staff, the Board engaged on 8th August with representatives of the Police Federation and NIPSA and on 22nd August with the wider membership of “Your Voice”, which has representatives from all the staff organisations. The Board will maintain contact over the coming months with the staff representative groups to ensure their views continue to be heard.
At the Board meeting on 22 August the Board also received a detailed update from PSNI on continuing actions that are being taken following these breaches.
While much remains to be done, the Board acknowledges the comprehensive response that has been mobilised and delivered by PSNI, and would like to place on record thanks to other partner agencies locally and nationally who have offered and provided assistance to PSNI.
The impact of these breaches on officers and staff, as well as on wider public trust, is not under-estimated and will remain at the centre of the Board's efforts as we take forward the actions contained in this statement.