In a recent data breach, the Police Service of Northern Ireland (PSNI) fell victim to human error in a Freedom of Information (FOI) response that demonstrated the importance of ensuring that data protection and freedom of information are well integrated. Over 100 countries have implemented FOI laws, which allow individuals to request access to data held by national governments, including state and local governments as applicable. Indeed, in the UK government’s proposal for their Freedom of Information Act 2000 (“the FOI Act”), they highlighted the criticality of this ability to a democratic society, stating: “Openness is fundamental to the political health of a modern state”. However, a balance must be struck between openness and security, and so FOI legislation includes some important exemptions to protect the personal data of individuals. Most jurisdictions stipulate that personal data should not be included in an FOI response, and doing so can lead to a serious data breach, as recently shown by the PSNI. While the PSNI breach is the most recent example of such an FOI error, other organisations have also experienced similar incidents and inappropriate disclosures. These cases highlight how robust FOI response procedures and employee training are vital in ensuring that your FOI team provides appropriate information in response to FOI requests.
Under the FOI Act, members of the public are entitled to request certain information held by public authorities. This access informs the public about the activities of public authorities and enables them to hold authorities to account. There are a number of exemptions to the information that must be provided, such as information contained in court records (s.32), information that is accessible by other means (s.21) and information which, where released, would breach the data protection principles contained in the Data Protection Act 1998 (s.40). This serves to balance openness with principles of security and privacy.
On August 3, the PSNI received a FOI request from a private individual, asking “Could you provide the number of officers at each rank and number of staff at each grade?”. Such requests are generally considered routine and reasonable under the FOI Act. However, in response to the request, the original requestor received a large Excel spreadsheet containing the surname and initials of over 10,000 employees, their rank or grade, where they are based and the unit in which they work. This erroneously supplied information was then published on an FOI website, What Do They Know, and became available to the public. The provision of this personal data constituted a personal data breach under the UK’s General Data Protection Regulation. Though the PSNI requested that the data be removed 2.5 hours after it was posted online, police have confirmed that the data was accessed by unauthorised individuals, including dissident republicans, amongst others. Given the political history of Northern Ireland, this disclosure introduced significant risks to officers’ and their families’ personal safety. In addition to the harms to the affected individuals, this breach will have significant financial ramifications for the PSNI. Assistant Chief Constable Chris Todd told a Westminster committee that this breach could cost the PSNI up to £240 in extra security for offices and individual claims for litigation.
The PSNI breach Is not the first instance of personal data being exposed in an FOI request response. For example, the Royal Borough of Kensington and Chelsea had a similar incident in 2018. Following the Grenfell Tower tragedy, the Borough received an FOI request from the media asking for information about vacant properties in the Borough. However, the FOI team unintentionally provided the names of the owners of the vacant properties in the spreadsheet they supplied to the media. In the ensuing investigation, the Information Commissioner’s Office found that the FOI team had not received adequate training and that there was a lack of guidance around identifying and removing hidden personal data. The Borough received a fine of £120,000 as a result of this breach, leading to significant financial impacts for that organisation as well.
Best Practice for FOI Requests
These cases highlight the importance of having robust procedures in place when responding to FOI requests. While the risk of human error can never be totally eliminated, there are steps that can be taken to reduce the risk of inappropriate data sharing when responding to FOI requests. These include:
- Implement robust procedures: As the Information Commissioner in the UK, John Edwards, said: “The incident demonstrates just how important it is to have robust measures in place to protect personal information, especially in a sensitive environment.” Creating clear, step by step guidance for employees about how to handle FOI requests will ensure a common understanding of best practice among your team. Your procedures should document how data should be compiled and by whom, and it should include a process for reviewing the response before it is shared with the public. This review should be conducted by a senior member of the team with an in-depth knowledge of the regulations to ensure that only the required data is provided to the requestor.
- Provide regular staff training: As highlighted in the investigation on the Royal Borough of Kensington and Chelsea breach, all staff involved in responding to information requests should receive regular training in relevant legislation, including the FOI Act and data protection laws. They should also regularly review internal policies and procedures for FOI requests. Staff should also receive regular information and cyber security training to ensure that they are able to identify factors that could cause data breaches.
- Regularly review your processes: FOI response processes should be regularly reviewed and improved. Your team should conduct regular evaluations following FOI responses to assess where the process was effective and where there are areas for improvement. This will help to streamline the process for future FOI requests and identify areas of potential risk.
Taking these steps will help to ensure that your team is informed and prepared to handle FOI requests effectively and in line with the legislation.
When data breaches occur anyway
Despite best efforts, there is always a risk that data may be disclosed inappropriately in an FOI request as demonstrated by these examples. As such, it is important that your organisation is prepared to handle data breaches. If you believe a data breach has occurred, you should consider the following actions:
- Act fast: As soon as your organisation becomes aware that a breach has happened, you should assemble a data breach response team to investigate the cause of the breach and identify any steps that can be taken to limit the damage. For example, the PSNI were able to get the FOI website to remove the data within three hours of it being posted. This will have limited the opportunity for the public to download the dataset, and thus limited the spread of the data.
- Complete your notification obligations: Under the GDPR, organisations have an obligation to notify regulators in the case of data breaches that result in a “risk to the rights and freedoms of natural persons” (GDPR Article 33) within 72 hours. As such, it is important that you are aware of your notification obligations and notify the regulator within the required timeframe. In addition to notifying regulators, organisations may be required to notify affected individuals following a data breach. In this case, this breach has put the safety of a number of officers at risk. Indeed, some individuals may have to leave their roles to protect their safety. By notifying affected individuals as soon as reasonably possible, individuals can promptly take measures to protect themselves. The GDPR does stipulate that organisations should notify affected individuals where a data breach poses a “high risk” to the rights and freedoms of individuals (GDPR Article 34). Your organisation’s data breach response procedures should include information about how to assess when you are required to notify both regulators and individuals.
- Manage the Public Relations (PR): Engaging with PR teams can help to manage communications with the public, ensuring that information is controlled and protecting public concerns about the incident. This is an important step for protecting your organisation’s reputation and for preventing false narratives being circulated.
- Learn from your mistakes: Once you have managed the data breach, it is important to review both the factors that led to the breach, as well as your breach response. Conducting look back exercises to identify shortcomings in your policies and assess how the breach could have been avoided will help to reduce the risk of this breach re-occurring.
If you are subject to the FOI Act, it is important that your organisation has robust practices in place to fulfil your obligations for openness while protecting individuals’ right to privacy. Trilateral’s Data Protection and Cyber-Risk Team has significant experience in managing FOI requests, including developing procedures for fulfilling requests securely and effectively. For more information, please feel free to contact our data protection and security experts, who would be more than happy to help.