The Northern Irish police have been fined the equivalent of 880,000 euros by the British privacy regulator ICO for a highly sensitive data leak via a spreadsheet . The fine would have been 6.6 million euros if it had not been taken into account that this concerns the public sector.
Due to an error, a spreadsheet containing the initials and surnames of all current police employees was made public through a Freedom of Information Request, as well as the location and department they work for. The information was in a 'hidden' tab. After discovering the error, the spreadsheet was taken offline, but it had already been downloaded by several parties.
The data of almost ten thousand police officers and employees was leaked. Due to the data breach, several officers wanted to change their names, more than fifty officers called in sick and one officer resigned. This is evident from an investigation conducted by the Northern Irish police into the incident. Officers also feared for their lives, according to the British privacy regulator ICO, which speaks of an unprecedented data breach.
The British regulator investigated the data breach and found that the Northern Ireland Police's internal procedures and protocols for releasing information were insufficient. A Freedom of Information Request is the British counterpart of the Dutch Open Government Act (Woo), which regulates the right to information about everything the government does. “What is particularly worrying is that easily implemented policies and procedures could have prevented this potentially life-threatening incident,” said UK Information Commissioner John Edwards.
The ICO takes the public sector into account when imposing fines. The idea behind this is that such fines are paid with public money and ensure that the authority in question has less money available for carrying out public tasks. If this had not been taken into account, the Northern Irish police would have been fined the equivalent of 6.6 million euros. In addition to the fine, the Northern Irish police must also implement measures to better protect personal information.
