The Police Ombudsman's Office has published the report of an independent investigation of the data breach which happened in August 2024.
The breach occurred on Thursday 29 August, when a document entitled “Staff Complement May 2022” was sent in error to 23 people who were being invited to interviews for Investigation Officer posts.
The document contained the names and limited personal data relating to 160 current and former members of Police Ombudsman staff.
The Office’s Independent Assessor of Complaints, Sarah Havlin, was asked to investigate the breach with specific reference to the effectiveness of the Office’s initial response and its plans for preventing a recurrence.
She was also asked to consider lessons learned and to produce a report containing recommendations.
Her report makes a number of findings about how the breach occurred.
She found that a temporary agency worker had been asked to send emails to invite 23 job applicants for interview, and to attach three documents to the email.
She noted that electronic document references for these documents had been provided on a Post-It note. The reference typed into electronic document management system for one of the documents was one digit removed from that of the correct document, and this resulted in the wrong file being sent to recipients.
Ms Havlin identified that although the breach had been primarily caused by human error, systemic issues also played a role.
She identified five main contributory factors:
- The inexperience of the agency worker;
- A lack of double-checking to ensure that the names of the attached documents matched the Trim references provided;
- The level of training and support provided to the agency worker;
- The method of instruction given to the agency worker;
- 'IT system weaknesses in respect of file naming conventions, separation and protection of personal data files and access control system.’
Ms Havlin found that the Office’s immediate response after discovering the breach had been “commendable.”
“The response by OPONI was both rapid and effective in rectifying the error, mitigating the impact and communicating clearly and honestly about what had occurred,” she said.
Ms Havlin also noted that the Office had quickly advised the Information Commissioner’s Office about the breach. The ICO opened a case but closed it on 18 September, noting that no further action was necessary on the basis that the Office had:
- taken steps to contain the breach,
- received confirmation from recipients that they had deleted the document,
- informed those affected,
- and proposed steps to prevent an occurrence.
Ms Havlin’s report makes a number recommendations, some of which mirror those made by the ICO. These include recommendations for the introduction of robust file naming and handling conventions, the use of password protection for documents containing personal data, and for testing and review of remedial measures to ensure “they are effective at keeping personal data secure.”
Others include a recommendation that instructions for digital tasks should not be handwritten, that measures are taken to ensure that agency staff receive appropriate training and support, and that additional data protection and cyber security training is introduced.
She also recommended that a number of policies should be reviewed and updated, and that changes implemented as a as a result of the incident should be communicated throughout the organisation and subject to regular testing and review.
Chief Executive Hugh Hume said: “We have accepted all the recommendations. These, along with other areas for improvement identified through our own rapid review, will be incorporated into an action plan which will be published in the new year.”
The Independent Assessor’s report referenced the issuing of a security notice to all staff on 19 September. The notice was a reminder of the importance of double-checking emails to ensure that addresses and attachments are correct, that email chains have not been inadvertently forwarded, and that all potential breaches are immediately reported.