October 14, 2025 | Organisational Information and Performance , Security and Data Protection
Request Number: FOI/14795
Category: Organisational Information & Performance - Security and Data Protection
Subject: Data Breaches
Request and Answer:
Your request for information has now been considered. Please see below in response to your request.
Request
Under the Freedom of Information Act 2000, please can you disclose the following information:
Request 1
The number of data breach incidents the force has had in the last three years (Broken down by financial years 2022/23, 2023/24 and 2024/25)
Answer 1
Please see below table in response to your request. The below table represents non-cyber related data breaches only:
| 2022/23 | 2023/24 | 2024/25 | |
|---|---|---|---|
| Data Breaches | 59 | 62 | 48 |
Partial NCND
In relation to cyber related data incidents, we are providing a Neither Confirm Nor Deny (NCND) response, the rationale for which was been explained below:
Harm in Confirming or Denying that Information is held
To confirm or deny whether any further information is held in respect of successful cyber attacks resulting in Data Breaches would provide actual knowledge that where an attempt has been made, it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.
To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber attacks made against the force, which would present harm as detailed above.
Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Public Interest Considerations
Section 24(2) National Security
Factors in favour of confirming or denying that information is held
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold PSNI to account, ensuring all such breaches are recorded and investigated appropriately. With the call for transparency of public spending this would enable improved public debate.
Factors against confirming or denying that information is held
Security measures are put in place to protect the communities we serve. As evidenced within the harm, to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within PSNI which could be further exploited.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the PSNI to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactful when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Section 31(3) – Law Enforcement
Factors favouring confirming or denying that information is held
Confirmation that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.
Factors against confirming nor denying that information is held.
Confirmation or denial that information is held in this case would suggest PSNI take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
Balancing Test
The points above highlight the merits of confirming or denying the requested information exists. The PSNI is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the PSNI. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.
Request 1a
Of those, how many were cyber incidents? (Broken down by years as above)
Clarification requested:
In relation to Q1a, can you please define your use of the phrase cyber incidents?
Clarification received:
By cyber incidents, I mean any malicious attempts to gain unauthorized access to data that the police hold, but not all cyberattacks result in data breaches. This question can be omitted if that would be easier.
Answer 1a
This request was withdrawn by the requestor.
Request 1b
Can these be broken down by year and by incident type? E.g. instances where data was emailed to the incorrect recipient or cases of loss/theft of devices containing personal data etc.? (Broken down by years as above).
Answer 1b
Please see below table in response to your request. The below table represents non-cyber related data breaches only:
| 2022/23 | 2023/24 | 2024/25 | |
|---|---|---|---|
| Breaches involving email | 10 | 11 | 23 |
| System Misuse | 16 | 11 | 4 |
| Paper docs | 25 | 30 | 11 |
| Miscellaneous | 8 | 10 | 10 |
| Total | 59 | 62 | 48 |
Partial NCND
In relation to cyber related data incidents, we are providing a Neither Confirm Nor Deny (NCND) response, the rationale for which has been explained under Answer 1.
Request 2
How many compensation claims have been brought against the force for data breaches in the last three years (Broken down by financial years 2022/23, 2023/24 and 2024/25)
Answer 2
Please see below in response to Request 2:
2022/23 - Nil
Partial Exemption
We are withholding the requested information for the financial years 2023/24 and 2024/25, the rationale for which has been explained below.
You have sought information which is considered to attract Legal Professional privilege ('LPP'). LPP protects confidential communications and correspondence between a lawyer and client. Section 42 of the FOIA provides an exemption for information protected by LPP. The concept of LPP protects the confidentiality of communications between a lawyer and client. This helps to ensure complete fairness in legal proceedings.
In Bellamy v the Information Commissioner and the Secretary of State for Trade and Industry (EA/2005/0023, 4 April 2006) the Information Tribunal described LPP as:
"a set of rules or principles which are designed to protect the confidentiality of legal or legally related communications and exchanges between the client and his, her or its lawyers, as well as exchanges which contain or refer to legal advice which might be imparted to the client, and even exchanges between the clients and [third] parties if such communications or exchanges come into being for the purposes of preparing for litigation"
In the Bellamy decision , the Tribunal acknowledged that there are two types of privilege within the concept of LPP:
- Litigation privilege; and
- Advice privilege.
Litigation privilege applies to confidential communications made for the purpose of providing or obtaining legal advice about proposed or contemplated litigation. Litigation privilege can apply to a wide variety of information, including advice, correspondence, notes, evidence or reports. Advice privilege applies where no litigation is in progress or contemplated. It covers confidential communications between the client and lawyer, made for the dominant (main) purpose of seeking or giving legal advice.
In this case PSNI considers the information you have requested is covered by litigation privilege. As a result section 42(1) of the FOIA is engaged. Section 42(1) states:
(1) Information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings is exempt information.
The full text of exemptions can be found at www.leqislation.qov.uk and further guidance on how they operate can be located on the Information Commissioners Office website www.ico.orq.uk.PSNI has also followed the Information Commissioner's Office guidance on LPP which is available on their website at the following link:
Section 42(1) - Legal professional privilege
Section 42 is a class based exemption which carries a public interest test. This means that information has to fall within the class protected by the exemption for it to be engaged. In this instance the information you are requesting is contained within communications between PSNI and its legal advisors. The public interest considerations that PSNI considered included:
Factors favouring release - Section 42
Providing information covered by legal professional privilege to the public could increase transparency for the public on the decision making processes of PSNI.
Factors against release - Section 42
The information is contained within communications for which legal advice has been sought. The PSNI’s ability to consider that advice and to determine its position could be compromised if this information were to be released. There is a high public interest in the ability for PSNI to seek legal advice freely and frankly in relation to an ongoing issue is imperative and PSNI sought that advice in confidence with the expectation it would not be further disclosed.
Balancing Test
PSNI has considered the public interest factors above, and taking all of the circumstances of this request into account considers that the balance of the public interest test favours withholding of the information in this instance.
Partial NCND
In relation to claims made specifically in relation to cyber-related data breaches, we are providing a Neither Confirm Nor Deny (NCND) response, the rationale for which has been explained under Answer 1.
Request 2a
Of those, how many were settled with compensation and how many were refused?
Answer 2a
As of 16th June, all matters are still ongoing
Request 2b
How much has the force paid out in compensation for data breach claims in the last three years? (Broken down by years as above)
Answer 2b
Please see below in response to Request 2b:
2022/23 – Nil
2023/24 – Nil
PSNI are withholding the breakdown for 2024/25 as this information could lead to the identification of individual claimants. The rationale for this is outlined below.
Section 17(1) of the Freedom of Information Act 2000 requires the Police Service of Northern Ireland, when refusing to provide such information (because the information is exempt) to provide you the applicant with a notice which:
(a) states that fact,
(b) specifies the exemption in question and
(c) states (if not otherwise apparent) why the exemption applies.
The exemption is listed below:
Section 40(2)(a)(b) by virtue of Section 40(3)(A)(a) – Personal Information - Information constitutes personal data and disclosure would contravene any of the Data Protection principles.
The full text of exemptions can be found at www.legislation.gov.uk and further guidance on how they operate can be located on the Information Commissioners Office website www.ico.org.uk.
Section 40
Section 40 (2) of the FOIA is an absolute exemption which means there is no requirement for PSNI to consider whether there is a public interest in disclosure. It is an interface exemption and we must consider whether release of the
information would breach the General Data Protection Regulations (‘GDPR’) or the Data Protection Act 2018 (‘DPA’) Third party personal information constitutes ‘personal data’ under the GDPR (Article 4) and DPA (Part 1 s.3).
Under the Freedom of Information Act, PSNI must consider if information can be released into the public domain. We have therefore considered whether the disclosure of this personal data is subject to the exemption at Section 40(2) of the Freedom of Information Act 2000 by virtue of s40 (3)(A)(a). As this information is ‘personal data’, PSNI considered whether disclosure would contravene any of the six data protection principles contained within the GDPR or DPA.
The six data protection principles are good information handling standards which PSNI must comply with in relation to how it handles personal information, including deciding whether to disclose it or not. In particular, the first principle requires personal data to be processed in a lawful and fair manner. In considering whether it is ‘fair’ to any individual to release information about them, PSNI considered the likely expectations of those individuals and the nature of the information involved. Individuals must have confidence that their information is treated sensitively and appropriately by PSNI. We consider those individuals would not have any reasonable expectation PSNI would disclose such information of this nature about them. We consider it would be extremely unfair to those individuals and therefore a breach of the first principle of data protection legislation. This information is therefore exempt under section 40(2) of the FOIA as it contravenes data protection legislation to release it and PSNI has made the decision to withhold that information.
Partial NCND
In relation to compensation paid out specifically in relation to cyber-related data breaches, we are providing a Neither Confirm Nor Deny (NCND) response, the rationale for which has been explained under Answer 1.
The release of information under the Freedom of Information Act is considered a release into the public domain and not just to the individual requesting the information. Once information is disclosed by FOI there is no control or limits as to who or how information is shared with other individuals, therefore a release under FOI is considered a release to the world in general.