Search

How can we help?

Icon

PSNI and Electoral Commission Data Breach

On 8 August 2023, both the UK Electoral Commission and the Police Service of Northern Ireland (PSNI), announced serious data breaches. For the Electoral Commission this appears to have been the result of a serious hack of their systems. For PSNI, the breach has been reported as the result of human error. We have also seen a report on the 15 August 2023 that a similar data breach was committed by Norfolk and Suffolk police forces, where personal data was included in a Freedom of Information response. A key aspect here was that the data was hidden from anyone opening the files but should not have been included.

As processors of significant amounts of personal data, including highly sensitive or ‘special category’ personal data, both of these breaches represent a serious concern for the organisations, and the persons to whom the data belongs. In both cases the incidents have been reported to the ICO and are being investigated.

Below we will look at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

The Hack

The Electoral Commission reported that they had been the subject of a “complex cyber-hack” which resulted in reference copies of electoral registers being accessed by the hackers, containing the name and address of anyone in the UK registered to vote between 2014 and 2022.

The Commission was unable to confirm if the data had been downloaded, and could not state conclusively which data had been accessed.

At time of publication, it has not yet been confirmed who was responsible for this hack, however leading experts including David Omand, a former director of GCHQ, has said that Russia is “first on his list of suspects”. This has not yet been verified.

This breach exposed the data of more than 40 million voters.

Human Error

In the PSNI case however, the breach has been reported to have been due to human error. A spreadsheet containing the surname, initial, rank, location and the department of all current PSNI officers and civilian staff members was published online. This did not include private addresses of employees.

PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.

The potential impact of this breach is particularly significant due to the historic safety concerns that employees of the PSNI have had since the Troubles. It is reported that many police officers choose to keep their occupation secret, even from friends and relatives out of safety concerns for themselves and their families.

PSNI Assistant Chief Constable Chris Todd has confirmed that the information leaked was limited to surname and initial, with no other identifiable personal information within the published leak.

Lucy Densham Brown

Solicitor

View profile

+44 118 960 4655

PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.

What lessons can employers learn?

These examples are severe cases of data breaches, with an increase in the number of data breaches committed, and represent the multifaceted approach that employers need to take to ensure that data is protected.

The learning point from the Electoral Commission case is to ensure that you have extensive security on systems, and that employees are trained on hacking avoidance methods and device security. This includes for example phishing tests, document protection, and physical device security. Without ensuring that adequate training is in place, this leads to organisations be exposed to data breaches.

For PSNI, the learning point has to come down to employee training, and protocols. Foremostly, employees should be trained to password protect sensitive documents, especially those containing a database of personal data. This is a relatively simple layer of protection that can quickly become routine, which can protect this information should it mistakenly fall into the wrong hands.

In addition to this, employers should make sure their employees have sufficient training on how to store and share data, and the importance of compliance with data protection laws. In particular, having regard to the data minimisation principle, which is to ensure that only the most essential data is shared to limited numbers of recipients, rather than the ‘oversharing’ of personal data or sharing this personal data with recipients who do not require access to it.

In both cases, it is clearly important for employers to have detailed policies in place which explain to employees what to do in case of a breach, and protocols to minimise the impact of that breach should it occur.

The biggest learning point from these cases is that unfortunately it is not enough to just train internally, or to just equip extensive security measures against hacking, both methods and more must be used by employers to be able to satisfy themselves that they have fulfilled their obligations and to ultimately reduce the number of data breaches.

If you would like assistance with data protection policies, or training from our data protection lawyers, please do get in touch.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Lucy Densham Brown

Solicitor

View profile

+44 118 960 4655

About this article

Read, listen and watch our latest insights

Pub
  • 26 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Data Security

In the third and final podcast in our ‘AI Podcast’ trilogy, members of the data protection team, will be discussing how to use AI to process data safely. They will be looking closely at the risks for businesses and the types of data security protections you can put in place.

art
  • 26 March 2024
  • Privacy and Data Protection

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries.

art
  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

art
  • 13 March 2024
  • Privacy and Data Protection

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

art
  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.

Pub
  • 05 March 2024
  • Privacy and Data Protection

How do I protect my business in the event of a personal data breach?

Don’t let your business fall victim to personal data breaches. Join Louise Keenan and Rebecca Dowle, for a quick overview of how to protect your business.