Following on from Brian’s two recent OPs on the PSNI data breach(es), I’m all too familiar with this sort of thing, having worked in the Freedom of Information/Data Protection field for many years and conducted countless training sessions to bored, disinterested attendees who would rather spend the hour and a half watching paint dry than be lectured about the nuances of the GDPR or why they should always lock their computer screens using the “Ctrl-Alt-Delete” key any time they leave their desks.
Just like pensions or tax, “information governance” as it’s generally known, is not exactly the sexiest, most exciting subject under the sun. But nevertheless, it affects us all in our day-to-day lives – a point which I always hammer home in my training seminars.
You might think you don’t need to know about schedule 2, article 1, section 2 of the Data Protection Act or processing for the purposes of the public interest, or the difference between a data controller and a data processor or the conditions required to processing “special category” information, but what about:
• That text you got from the recruitment agency you’d never had any previous contact with inviting you to go for a job in a field you’re not qualified for
• The email you got from “Amaz0n Prome” (sic) with multiple spelling and grammar mistakes in three different languages telling you that your subscription was about to expire – even though you don’t have an account with them
• The phone call you got from the so-called insurance company who wanted to know the details of the road accident that never happened
• The phone call from HMRC/IRS/Revenue Commissioners (depending on what jurisdiction you’re in – but sometimes international borders don’t matter that much to the caller) saying there was a warrant out for your arrest for unpaid taxes, but you could avoid jail if you give them your credit card details over the phone – yet bizarrely they have to ask your name even though they’re supposed to have your details on file
• The Whatsapp message you got from someone addressing you as Dad or Mum who’d lost his/her phone and needed an urgent payment into their account to settle a debt they owed
• The phone call purportedly from Microsoft’s Technical Support desk who tell you that your computer has a virus and they need control of your device using Teamviewer or Anydesk (other remote access software providers are available) to fix it
• The email you received from the courier firm demanding a fee for the delivery of a non-existent parcel
Although the PSNI data breach (or the two PSNI breaches to be precise – the disclosure of the spreadsheet and the earlier incident involving the theft of the laptop) has dominated the headlines it’s the third such incident to be reported from Northern Ireland in as many weeks.
Just the week before the UK’s independent regulatory watchdog the Information Commissioner’s Office (ICO) published reports about lower profile data breaches at two other local public sector organisations – the Patient and Client Council (PCC) and the Executive Office who had made the all-too-common mistake of using the CC or “to” field instead of the BCC option when sending sensitive emails to multiple recipients.
The ICO has come in for much criticism of late and is often dismissed by detractors as being toothless and inefficient. The outcome of the PCC and EO incidents has proven to be no exception. The ICO has responded with a mere slap on the wrist rather than a much harsher financial penalty – given the sensitivity of the information involved.
Furthermore these incidents will do nothing to dispel the all too common perception that the Northern Ireland public sector is a bloated and inefficient bureaucracy and full of people doing either very little work or meaningless tasks simply for the purpose of propping up employment figures – what the late anthropologist David Graeber (1961-2020) called “bullsh1t jobs”. His book on this subject well worth a read by the way.
But this latest PSNI breach is on an altogether different scale.
What’s particularly disturbing and worrying that this was such a simple basic error which could so easily have been avoided.
The classic spreadsheet-with-hidden-tabs-containing-sensitive-data blunder is just a step up from the email sent by mistake to [email protected] rather than [email protected]. I’ve had experience of this as well. As commenters on this site have previously pointed out, a simple check of the spreadsheet by a skilled second pair of eyes before sending it out would have prevented such a disaster – or better still – converting the spreadsheet to a PDF to ensure there was no hidden data would not have taken much effort.
With a plethora of high profile incidents in the space of a few weeks including those mentioned above plus the Scottish adoption records case, the Coutts/Farage caper, the Suffolk/Norfolk police data leak and the cyber-attack on the Electoral Commission, the Information Commissioner John Edwards has been a busy man of late – desperately attempting to justify his £200,000 salary – but which is still less than what Stephen Nolan gets paid by the BBC though!
It is an incredibly worrying time for PSNI officers and staff at the moment. But one good thing to come out of all this will be the inevitable increased awareness of data protection and cybersecurity across the NI public sector and the wider UK – and maybe specialists in this field will have greater bargaining power to demand higher wages.
Sometimes it takes a monumental f*ck-up for things to get better – it shouldn’t be like this of course, but then we don’t live in a perfect world.
It will also be interesting to see how the Information Commissioners Office reacts…
Ciaran Ward is from Co. Tyrone and is now based in London where he works in the data protection/cybersecurity field. His latest book “On Square Routes”, a collection of memoirs, travel writing, short stories and poetry has just been published and is now available from Amazon.