Search

How can we help?

Icon

PSNI and Electoral Commission Data Breach

On 8 August 2023, both the UK Electoral Commission and the Police Service of Northern Ireland (PSNI), announced serious data breaches. For the Electoral Commission this appears to have been the result of a serious hack of their systems. For PSNI, the breach has been reported as the result of human error. We have also seen a report on the 15 August 2023 that a similar data breach was committed by Norfolk and Suffolk police forces, where personal data was included in a Freedom of Information response. A key aspect here was that the data was hidden from anyone opening the files but should not have been included.

As processors of significant amounts of personal data, including highly sensitive or ‘special category’ personal data, both of these breaches represent a serious concern for the organisations, and the persons to whom the data belongs. In both cases the incidents have been reported to the ICO and are being investigated.

Below we will look at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

The Hack

The Electoral Commission reported that they had been the subject of a “complex cyber-hack” which resulted in reference copies of electoral registers being accessed by the hackers, containing the name and address of anyone in the UK registered to vote between 2014 and 2022.

The Commission was unable to confirm if the data had been downloaded, and could not state conclusively which data had been accessed.

At time of publication, it has not yet been confirmed who was responsible for this hack, however leading experts including David Omand, a former director of GCHQ, has said that Russia is “first on his list of suspects”. This has not yet been verified.

This breach exposed the data of more than 40 million voters.

Human Error

In the PSNI case however, the breach has been reported to have been due to human error. A spreadsheet containing the surname, initial, rank, location and the department of all current PSNI officers and civilian staff members was published online. This did not include private addresses of employees.

PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.

The potential impact of this breach is particularly significant due to the historic safety concerns that employees of the PSNI have had since the Troubles. It is reported that many police officers choose to keep their occupation secret, even from friends and relatives out of safety concerns for themselves and their families.

PSNI Assistant Chief Constable Chris Todd has confirmed that the information leaked was limited to surname and initial, with no other identifiable personal information within the published leak.

Lucy Densham Brown

Solicitor

View profile

+44 118 960 4655

PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.

What lessons can employers learn?

These examples are severe cases of data breaches, with an increase in the number of data breaches committed, and represent the multifaceted approach that employers need to take to ensure that data is protected.

The learning point from the Electoral Commission case is to ensure that you have extensive security on systems, and that employees are trained on hacking avoidance methods and device security. This includes for example phishing tests, document protection, and physical device security. Without ensuring that adequate training is in place, this leads to organisations be exposed to data breaches.

For PSNI, the learning point has to come down to employee training, and protocols. Foremostly, employees should be trained to password protect sensitive documents, especially those containing a database of personal data. This is a relatively simple layer of protection that can quickly become routine, which can protect this information should it mistakenly fall into the wrong hands.

In addition to this, employers should make sure their employees have sufficient training on how to store and share data, and the importance of compliance with data protection laws. In particular, having regard to the data minimisation principle, which is to ensure that only the most essential data is shared to limited numbers of recipients, rather than the ‘oversharing’ of personal data or sharing this personal data with recipients who do not require access to it.

In both cases, it is clearly important for employers to have detailed policies in place which explain to employees what to do in case of a breach, and protocols to minimise the impact of that breach should it occur.

The biggest learning point from these cases is that unfortunately it is not enough to just train internally, or to just equip extensive security measures against hacking, both methods and more must be used by employers to be able to satisfy themselves that they have fulfilled their obligations and to ultimately reduce the number of data breaches.

If you would like assistance with data protection policies, or training from our data protection lawyers, please do get in touch.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Lucy Densham Brown

Solicitor

View profile

+44 118 960 4655

About this article

Read, listen and watch our latest insights

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.

art
  • 14 August 2024
  • Privacy and Data Protection

Data protection audit – what you need to know

A data protection audit is the process of auditing all of your data protection processes and procedures to understand your current levels of compliance and identify any areas for improvement.

art
  • 05 August 2024
  • Employment

AI and Recruitment

To assist employers who are using, or considering the use of, AI in recruitment, we have put together a summary of the key risks that employers should be aware of.