Electoral Commission and PSNI Data Breaches: what lessons can be learned?

On Tuesday 8th August 2023, both the Electoral Commission UK and the Police Service of Northern Ireland (PSNI) announced large scale data breaches.

PSNI Data Breach

The Police Service Northern Ireland (PSNI) have disclosed details of a serious data breach involving the inadvertent publication of the personal details of an estimated 10,000 members of staff. The incident appears to have occurred as a result of human error when the PSNI responded to a Freedom of Information (FOI) request seeking the number of officers and staff of all ranks and grades across the organisation. An FOI request gives an individual the right to request any recorded information held by a UK public authority. The published response to this FOI request embedded a spreadsheet with a table containing the surname, initial, rank or grade, location and the departments of all current Police Service of Northern Ireland officers and civilian staff members. Private addresses were not released.

According to the PSNI the data was available online for up to three hours before the error was recognised and the material was removed.

Why is this breach so serious?

This breach is particularly concerning given that members of the PSNI are under threat from Northern Ireland based terrorists with the current assessed level of threat at severe, meaning attacks on PSNI personnel are likely.

Can lessons be learned?

Investigations into this breach are ongoing, and we do not yet know the nature of any enforcement action contemplated by the Information Commissioners Office (ICO) or the extent to which any affected data subjects will be able to recover compensation in respect of the breach. However, aside from the financial and reputational repercussions of the breach, it serves a stark reminder to all public authorities that they must have robust processes in place including appropriate checks and balances when handling FOI and data rights requests.

Electoral Commission Data Breach

The Electoral Commission, which oversees elections in the UK, announced on Tuesday 8^th August that it had suffered a complex cyber-attack which resulted in hackers accessing copies of the electoral registers. The registers contained the names and address of anyone in the UK who was registered to vote between 2014-2022 – approximately 40 million people.

Who was responsible?

The identity of the hackers remains unknown, however, due to the sophistication of the attack there is speculation that the attackers may be linked to a hostile state such as Russia.

Should individuals be concerned?

While the breach was monumental in scale, the Electoral Commission has reassured the public that much of the data accessed was already in the public domain and that it would be difficult for any malicious actors to influence UK elections as a result of the breach.

Conclusion

The breaches announced by the PSNI and the Electoral Commission this week demonstrate the potential for serious data breaches to cause significant harm to individuals and organisations. It is vital that organisations continually monitor their data protection compliance by reviewing and testing processes, ensuring that they have appropriate technical and organisational measures in place to protect data and providing training to employees.

If you would like any further information or advice on these issues, please contact Laura Cunningham from the Commercial team.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.