Data Breach and ISA

Request Number: FOI/14110

Category: Organisational Information & Performance - Internal Information, Security and Data Protection

Subject: Data Breach and ISA

Request and Answer:

Your request for information below has now been considered. In respect of Section 1(1)(a) of the Freedom of Information Act 2000 (FOIA) We can confirm that the Police Service of Northern Ireland does hold the information you have requested however it is estimated that the cost of complying with your request for information would exceed the “appropriate costs limit” under Section 12(1) of the Freedom of Information Act 2000 and this will be further explained below. PSNI have followed the Information Commissioner’s Office guidance ‘Requests where the cost of compliance exceeds the appropriate limit’ in relation to this request, which also provides further detail on the application of Section 12 (1) of the FOIA. This guidance is available on the ICO website at the following link:
https://ico.org.uk/media/for-organisations/documents/1199/costs_of_compliance_exceeds_appropriate_limit.pdf

Request Details
I am writing to make a request for information under the Freedom of Information Act 2000. As part of the UKRI International Law Enforcement Information Exchange Project (Edge Hill University), examining how information can be effectively exchanged between law enforcement agencies, we would like to ask you to provide the following information
 

I. Data Breaches
 

Request 1

The number of data breaches recorded by your force in the past 10 years.

Request 2

The agencies or external bodies involved, if any.

Request 3

The type of data compromised.

Request 4

The departments or units within your force affected.

Request 5

The impact of these data breaches.

Request 6

Whether any of these breaches were reported in the media (if so, please specify).

Request 7

Whether the breaches were made public by the force.

II. Information Sharing Agreements

Request 8

What information sharing agreements your force currently has in place.

Request 9

The number of information sharing agreements your force currently has in place.

Request 10

The organisations or agencies these agreements are with.

Request 11

A distinction between statutory information sharing agreements and localised agreements.

III. Operational Databases

Request 12

The number of separate information databases your force operates in relation to operational matters (excluding internal systems such as HR or logistical databases, clothing stores, etc.).

Request 13

A brief description of the purpose of these operational databases. To be clear, we do not require specific titles of the databases; generic descriptions will suffice

Answer
Section 17(5) of the Freedom of Information Act 2000 requires the Police Service of Northern Ireland, when refusing to provide such information (because the cost of compliance exceeds the appropriate limit) to provide you the applicant with a notice which states that fact.

It is estimated that the cost of complying with your request for information would exceed the “appropriate costs limit” under Section 12(1) of the Freedom of Information Act 2000. Section 12 of FOIA allows a public authority to refuse to deal with a request where it estimates that it would exceed the appropriate limit to either comply with the request in its entirety or confirm or deny whether the requested information is held. The estimate must be reasonable in the circumstances of the case. The ‘appropriate limit’ is currently £600 for central government and £450 for all other public authorities including PSNI. The relevant Regulations which define the appropriate limit for section 12 purposes are The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulation 2004 SI 2004 No 3244. These are known as the ‘Fees Regulations’ for brevity.

Regulation 4(3) of the Fees Regulations states that a public authority can take into account the costs it reasonably expects to incur in carrying out the following permitted activities in complying with the request:

(i) determining whether the information is held;
(ii) locating the information, or a document containing it;
(iii) retrieving the information, or a document containing it; and
(iv) extracting the information from a document containing it.

Under those regulations PSNI can calculate the time spent on each of these permitted activities at £25 per hour (thus if the activity(s) takes more than 18 hours PSNI will be in excess of the ‘appropriate limit’).

When a public authority is estimating whether the appropriate limit is likely to be exceeded, it can include the costs of complying with two or more requests if the conditions laid out in Regulation 5 of the Fees Regulations can be satisfied. Those conditions require the requests to be:

• made by one person, or by different persons who appear to the public authority to be acting in concert or in pursuance of a campaign;
• made for the same or similar information; and
• received by the public authority within any period of 60 consecutive working days.

Regulation 5(2) of the Fees Regulations requires that the requests which are to be aggregated relate “to any extent” to the same or similar information. This is quite a wide test but public authorities should still ensure that the requests meet this requirement.
Enquiries made in relation to your request has identified that retrieval of information to respond to your request would exceed the FOI legislative cost of 18 hours as set by the Secretary of State.
 

Information sought in Requests 1 to 4, is not held in a retrievable format that provides the information without manual intervention, and a comprehensive search would need to be conducted to retrieve this information. It has been established that between 1st January 2024 and 31st December 2024 there have been 137 data incidents reported. Each of them would have to be examined to determine if they meet the criteria of a Data Breach. A further trawl of records to retrieve the requested information would need to be conducted to retrieve details like: if any external agencies were involved, the type of data compromised and the departments or units within the force affected, as per your request. It has been estimated that to provide response to these requests would grossly exceeds the legislative cost of 18 hours as set by the Secretary of State.

Additionally, for Requests 8 to 11, to retrieve the data that is sought would require input from every department within the PSNI, as this information is not held centrally. We are currently working on a project to streamline the ISA process and create a central register. However, this is currently at the early stages but should be completed by the latter part of the year. Currently, it has been estimated that to retrieve this information would also exceed the 18 hour legislative cost.

Furthermore, for Requests 12 and 13, there is in excess of 280 databases that we are charged for. To pull together the information you have sought would require identification of all databases and which areas these databases relate to. Each area would have to provide a description of the relevant databases. It has been estimated that to correlate the information would take approximately 60 hours.

Under Section 12 of the Freedom of Information Act 2000, if any part of the request exceeds the cost threshold then the whole request will be excess costs and there is no obligation to answer any part of the request.

In accordance with the Freedom of Information Act 2000, this letter should be considered as a Refusal Notice, and the request has therefore been closed. 

Advice and assistance
You may wish to submit a refined request in order that the cost of complying with your request may be facilitated within the ‘appropriate limit’. In compliance with Section 16 of the Act, we have considered how your request may be refined to bring it under the appropriate limit. 

We may be able to provide a response to the following within the appropriate limit:

• The number of data incidents recorded by your force in the past 10 years.
• For the data incidents, the agencies or external bodies involved, if any.
• The impact of these data incidents.
• Whether any of these incidents were reported in the media (if so, please specify).
• Whether the incidents were made public by the force.

Submission of a refined request would be treated as a new request, and considered in accordance with the Freedom of Information Act 2000, including consideration of relevant Part II exemptions.