October 07, 2025 | Finance and Procurement , Procurement
Request Number: FOI/15310
Category: Finance and Procurement - Procurement
Subject: Data Breaches and Cyber Security Incidents
Request and Answer:
Your request for information below has now been considered. In respect of Section 1(1)(a) of the Freedom of Information Act 2000 (FOIA) We can confirm that the Police Service of Northern Ireland does hold the information you have requested however it is estimated that the cost of complying with your request for information would exceed the “appropriate costs limit” under Section 12(1) of the Freedom of Information Act 2000 and this will be further explained below. PSNI have followed the Information Commissioner’s Office guidance ‘Requests where the cost of compliance exceeds the appropriate limit’ in relation to this request, which also provides further detail on the application of Section 12 (1) of the FOIA. This guidance is available on the ICO website at the following link:
Request 1
I am writing to request the following information under the Freedom of Information Act 2000 regarding data breaches, cybersecurity incidents, GDPR compliance breaches, and related issues:
Please provide the following details for the period from 1 January 2020 to the most recent available date:
- Number and type of cybersecurity incidents recorded, including (but not limited to):
- Hacking incidents
- Phishing incidents
- Malware or ransomware attacks
- Unauthorised access to data or systems
Request 2
Number of personal data breaches reported to the Information Commissioner’s Office (ICO), including breaches relating to GDPR compliance.
Request 3
Details of breaches, including:
- Date of each breach
- Type of data compromised (e.g., names, addresses, medical records, financial details, employment data, etc.)
- Number of files or records leaked, compromised, or accessed without authorisation
- Whether the affected individuals were staff members, members of the public, or both
Request 4
Number of individuals affected by each breach, please break down by staff/public if applicable
Request 5
Total financial compensation paid out to victims of data breaches, including staff and members of the public, please break down the compensation amounts by breach if applicable.
Request 6
Brief summary of actions taken by your organisation to respond to each breach, including remedial or preventative measures
Answer
Section 17(5) of the Freedom of Information Act 2000 requires the Police Service of Northern Ireland, when refusing to provide such information (because the cost of compliance exceeds the appropriate limit) to provide you the applicant with a notice which states that fact.
It is estimated that the cost of complying with your request for information would exceed the “appropriate costs limit” under Section 12(1) of the Freedom of Information Act 2000. Section 12 of FOIA allows a public authority to refuse to deal with a request where it estimates that it would exceed the appropriate limit to either comply with the request in its entirety or confirm or deny whether the requested information is held. The estimate must be reasonable in the circumstances of the case. The ‘appropriate limit’ is currently £600 for central government and £450 for all other public authorities including PSNI. The relevant Regulations which define the appropriate limit for section 12 purposes are The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulation 2004 SI 2004 No 3244. These are known as the ‘Fees Regulations’ for brevity.
Regulation 4(3) of the Fees Regulations states that a public authority can take into account the costs it reasonably expects to incur in carrying out the following permitted activities in complying with the request:
(i) Determining whether the information is held;
(ii) Locating the information, or a document containing it;
(iii) Retrieving the information, or a document containing it; and
(iv) extracting the information from a document containing it.
Under those regulations PSNI can calculate the time spent on each of these permitted activities at £25 per hour (thus if the activity(s) takes more than 18 hours PSNI will be in excess of the ‘appropriate limit’).
When a public authority is estimating whether the appropriate limit is likely to be exceeded, it can include the costs of complying with two or more requests if the conditions laid out in Regulation 5 of the Fees Regulations can be satisfied. Those conditions require the requests to be:
- made by one person, or by different persons who appear to the public authority to be acting in concert or in pursuance of a campaign;
- made for the same or similar information; and
- received by the public authority within any period of 60 consecutive working days.
Regulation 5(2) of the Fees Regulations requires that the requests which are to be aggregated relate “to any extent” to the same or similar information. This is quite a wide test but public authorities should still ensure that the requests meet this requirement.
Enquiries made in relation to your request has identified that retrieval of information to respond to your request would exceed the FOI legislative cost of 18 hours as set by the Secretary of State.
The information you seek in your request is not held in a retrievable format on PSNI database, for Requests 3, 4 and 6 would require a manual intervention through each individual case to determine the types of data compromised, what the occupation of each person was and what actions were taken for each case. 5 data breach cases were looked at and each one took 5-7 minutes to read all of the information logged and a further 2-3 minutes to record the findings. In 2024 there were 49 data breaches, 49 cases x 10 minutes to read each one is 8.2 hours. There are a further 4 years and 9 months of cases that would all also require manual intervention. Your request is over the cost limits set out in FOIA.
In accordance with the Freedom of Information Act 2000, this letter should be considered as a Refusal Notice, and the request has therefore been closed.
Advice and assistance
You may wish to submit a refined request in order that the cost of complying with your request may be facilitated within the ‘appropriate limit’. In compliance with Section 16 of the Act, we have considered how your request may be refined to bring it under the appropriate limit.
Request 1 will attract exemptions, we can answer Request 2 and Request 5.