Search

How can we help?

Icon

PSNI and Electoral Commission Data Breach

On 8 August 2023, both the UK Electoral Commission and the Police Service of Northern Ireland (PSNI), announced serious data breaches. For the Electoral Commission this appears to have been the result of a serious hack of their systems. For PSNI, the breach has been reported as the result of human error. We have also seen a report on the 15 August 2023 that a similar data breach was committed by Norfolk and Suffolk police forces, where personal data was included in a Freedom of Information response. A key aspect here was that the data was hidden from anyone opening the files but should not have been included.

As processors of significant amounts of personal data, including highly sensitive or ‘special category’ personal data, both of these breaches represent a serious concern for the organisations, and the persons to whom the data belongs. In both cases the incidents have been reported to the ICO and are being investigated.

Below we will look at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

The Hack

The Electoral Commission reported that they had been the subject of a “complex cyber-hack” which resulted in reference copies of electoral registers being accessed by the hackers, containing the name and address of anyone in the UK registered to vote between 2014 and 2022.

The Commission was unable to confirm if the data had been downloaded, and could not state conclusively which data had been accessed.

At time of publication, it has not yet been confirmed who was responsible for this hack, however leading experts including David Omand, a former director of GCHQ, has said that Russia is “first on his list of suspects”. This has not yet been verified.

This breach exposed the data of more than 40 million voters.

Human Error

In the PSNI case however, the breach has been reported to have been due to human error. A spreadsheet containing the surname, initial, rank, location and the department of all current PSNI officers and civilian staff members was published online. This did not include private addresses of employees.

PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.

The potential impact of this breach is particularly significant due to the historic safety concerns that employees of the PSNI have had since the Troubles. It is reported that many police officers choose to keep their occupation secret, even from friends and relatives out of safety concerns for themselves and their families.

PSNI Assistant Chief Constable Chris Todd has confirmed that the information leaked was limited to surname and initial, with no other identifiable personal information within the published leak.

Lucy Densham Brown

Solicitor

View profile

+44 118 960 4655

PSNI have confirmed that the data was posted in error in response to a freedom of information request, and was publicly accessible for three hours before the error was noted and rectified.

What lessons can employers learn?

These examples are severe cases of data breaches, with an increase in the number of data breaches committed, and represent the multifaceted approach that employers need to take to ensure that data is protected.

The learning point from the Electoral Commission case is to ensure that you have extensive security on systems, and that employees are trained on hacking avoidance methods and device security. This includes for example phishing tests, document protection, and physical device security. Without ensuring that adequate training is in place, this leads to organisations be exposed to data breaches.

For PSNI, the learning point has to come down to employee training, and protocols. Foremostly, employees should be trained to password protect sensitive documents, especially those containing a database of personal data. This is a relatively simple layer of protection that can quickly become routine, which can protect this information should it mistakenly fall into the wrong hands.

In addition to this, employers should make sure their employees have sufficient training on how to store and share data, and the importance of compliance with data protection laws. In particular, having regard to the data minimisation principle, which is to ensure that only the most essential data is shared to limited numbers of recipients, rather than the ‘oversharing’ of personal data or sharing this personal data with recipients who do not require access to it.

In both cases, it is clearly important for employers to have detailed policies in place which explain to employees what to do in case of a breach, and protocols to minimise the impact of that breach should it occur.

The biggest learning point from these cases is that unfortunately it is not enough to just train internally, or to just equip extensive security measures against hacking, both methods and more must be used by employers to be able to satisfy themselves that they have fulfilled their obligations and to ultimately reduce the number of data breaches.

If you would like assistance with data protection policies, or training from our data protection lawyers, please do get in touch.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Lucy Densham Brown

Solicitor

View profile

+44 118 960 4655

About this article

Read, listen and watch our latest insights

art
  • 15 July 2024
  • Privacy and Data Protection

The duty to protect third parties: is your DSAR response compliant?

Responding to a data subject access request (DSAR) may feel like a daunting process. It requires a solid understanding of the data subject’s rights, and of the meaning of personal data.

Pub
  • 02 July 2024
  • Privacy and Data Protection

Data protection unlocked for HR: Introduction to data protection

Lucy Densham Brown and Sana Nahas from the data protection team will discuss data protection issues encountered by HR professionals in the first episode of the ‘Data Protection Unlocked for HR’ podcast series.

art
  • 27 June 2024
  • Privacy and Data Protection

What could a Labour Government mean for Data Protection?

As we approach the 2024 General Election, the polls are suggesting a likely win for Labour and a resulting change in government. In the last week, parties including Labour have released their election manifestos.

art
  • 12 June 2024
  • Privacy and Data Protection

UK data protection: Important basics

Sometimes, data protection can seem like unhelpful red tape. At other times, it is critical to cultivating a trustworthy reputation.

art
  • 03 June 2024
  • Employment

Using AI technologies in recruitment: is it fair and transparent?

In a rapidly evolving digital landscape, where artificial intelligence (AI) plays an increasingly pivotal role in HR and recruitment processes, ensuring responsible and ethical implementation is paramount.

art
  • 30 May 2024
  • Employment

GDPR: Who are data controllers and processors?

Controllers and processors have a different set of responsibilities, and have various responsibilities when dealing with data breaches.