March 31, 2025 | Organisational Information and Performance , Security and Data Protection
Request Number: FOI/13666
Category: Organisational Information & Performance - Internal Information, Security and Data Protection
Subject: Personal Data
Request and Answer:
Your request for information has now been considered. In respect of Section 1(1)(a) of the Act we can confirm that the Police Service of Northern Ireland does hold some of the information to which your request relates and some of this is being provided to you. Some information in request number 3 is exempt by virtue of Section 40(2)(a)(b) by virtue of Section 40(3)(A)(a).
For request number 5 we are partially responding and are also including within our response a Neither Confirm nor Deny (NCND) response by virtue of Section 24(2) and Section 31(3) of FOIA, the rationale for which has been explained further below. We have also provided you with links to guidance issued by the Information Commissioner’s Office which we have followed in responding to your request.
Request 1
Can I have your records about sales of personal data from 2023 (01.01.2023) to 2024 (31.12.2024), including trading partners and money earned from transactions?
Answer 1
No as PSNI is a law enforcement body and does not sell personal data.
Request 2
Do you use tracking cookies on your website, and can I have a list of third parties that you share personal data with?
Answer 2
As with all modern websites, PSNI presents the visitor with a panel configure for their use of cookies. PSNI does not share personal data with any third parties.
Request 3
Have you received any complaints about how you handle personal data? This includes collecting, storing, sharing or selling, as well as wider processing practices. Please can I view records about these complaints for 2023 and 2024?
Answer 3
Yes, PSNI has received complaints about how personal data is handled.
Our interpretation is that you are not seeking to have this information provided in our response, and are seeking to ‘view’ the information held.
Unfortunately as a Police Force PSNI would not permit a person to view these records as we hope you can appreciate complaints received by PSNI are not limited to but contain personal and sensitive data.
Section 17(1) of the Freedom of Information Act 2000 requires the Police Service of Northern Ireland, when refusing to provide such information (because the information is exempt) to provide you the applicant with a notice which:
(a) states that fact,
(b) specifies the exemption in question and
(c) states (if not otherwise apparent) why the exemption applies.
The exemption, as well as the factors the Department considered when deciding where the public interest lies, are listed below:
Section 40(2)(a)(b) by virtue of Section 40(3)(A)(a) – Personal Information.
Section 40(2) of the FOIA is an absolute exemption which means there is no requirement on PSNI to consider whether there is a public interest in disclosure. It is an interface exemption and we must consider whether release of the information would breach the General Data Protection Regulations (‘GDPR’) or the Data Protection Act 2018 (‘DPA’) Third party personal information constitutes ‘personal data’ under the GDPR (Article 4) and DPA (Part 1 s.3).
Under the Freedom of Information Act, PSNI must consider if information can be released into the public domain. We have therefore considered whether the disclosure of this personal data is subject to the exemption at Section 40(2) of the Freedom of Information Act 2000 by virtue of s40 (3)(A)(a). As information is ‘personal data’, PSNI considered whether disclosure would contravene any of the six data protection principles contained within the GDPR or DPA.
The six data protection principles are good information handling standards which PSNI must comply with in relation to how it handles personal information, including deciding whether to disclose it or not. In particular, the first principle requires personal data to be processed in a lawful and fair manner. In considering whether it is ‘fair’ to any individual to release information about them, PSNI considered the likely expectations of those individuals and the nature of the information involved and the material you have requested. Individuals must have confidence that their information is treated sensitively and appropriately by PSNI. The PSNI has a duty to protect the personal data of the public and any record of complaint would constitute this. We consider it would be extremely unfair to those individuals and therefore a breach of the first principle of data protection legislation. This information is therefore exempt under section 40 (2) of the FOIA as it contravenes data protection legislation to release it.
The release of information under the Freedom of Information Act is considered a release into the public domain and not just to the individual requesting the information. Once information is disclosed by FOI there is no control or limits as to who or how information is shared with other individuals, therefore a release under FOI is considered a release to the world in general.
Request 4
How many subject access requests did you receive in the period 2023-2024, broken down by year? What types of personal data did they typically receive? For example email addresses, home addresses and telephone numbers?
Answer 4
Please see below table which shows the number of subject access requests by year:
| Year | Number of subject access requests received |
|---|---|
| 2023 | 2,330 |
| 2024 | 2,611 |
The most commonly requested information is a Criminal Record Check, which provides the requestor with a copy of their own criminal record.
Request 5
How many data breaches have you experienced for the past 5 years (broken down by each year)?
Clarification requested:
Please can you provide clarification on the wording ‘experienced" in respect of Q5. Are you seeking:
1. All data breaches experienced by PSNI within the last 5 years (as in breaches within PSNI and breaches externally of PSNI data from other organisations)? Or
2. Data breaches experienced within PSNI within the last 5 years (as in only internal data breaches)? Or
3. Data breaches reported by PSNI to the ICO within the last 5 years?
Clarification received:
Data breaches experienced within PSNI within the last 5 years (as in only internal data breaches). So any breaches of data you have collected from people that have been breached.
Answer 5
The Police Service of Northern Ireland records information relevant to the request under ‘data incidents’ and will respond accordingly.
Please note that not every ‘data incident’ is considered a ‘data breach’, as per the Information Commissioner Office’s (ICO) definition below:
A personal data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.’
Additionally, not every ‘data breach’ is required to be reported to the ICO or Police Ombudsman for Northern Ireland (PONI) as per ICO and PONI notification criteria.
In practical terms, this means that the number of ‘data breaches’ will be much lower than the number of ‘data incidents’.
Link to the definitions can be found below:
https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/communications-networks-and-services/security-breaches/
With the above in mind, please see table below in relation to the number of data incidents:
| YEar | Number of Data Incidents |
|---|---|
| 2020 | 114 |
| 2021 | 87 |
| 2022 | 92 |
| 2023 | 185 |
| 2024 | 133 |
Please note: PSNI records all data incidents. The numbers above reflect the numbers reported.
Therefore the data incidents that go on to be notified as breaches, which meet the ICO notifiable criteria, are much lower.
Partial NCND
With regards to ‘cyber- related data breaches’, and in accordance with the Act, this response also represents a Refusal Notice for this particular element of your requests. The Police Service of Northern Ireland can neither confirm nor deny that it holds the information you have requested.
Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties on public authorities. Unless exemptions apply, the first duty at Section 1(1)(a) is to confirm or deny whether the information specified in the request is held. The second duty at Section 1(1)(b) is to disclose information that has been confirmed as being held.
Section 17(1) of the Freedom of Information Act 2000 requires the Police Service of Northern Ireland, when refusing to provide such information (because the information is exempt) to provide you the applicant with a notice which:
a. states that fact,
b. specifies the exemption in question and
c. states (if not otherwise apparent) why the exemption applies.
The Police Service of Northern Ireland (PSNI) can Neither Confirm Nor Deny that it holds the information relevant to your request as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemptions:
- Section 24(2) - National Security – The duty to confirm or deny does not arise if exemption from section 1(1)(b) is required to protect national security.
Section 31(3) – Law Enforcement – The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would, or be likely to, prejudice any of the matters mentioned in subsection (1).
The full text of exemptions can be found at www.legislation.gov.uk and further guidance on how they operate can be located on the Information Commissioners Office website www.ico.org.uk.
The exemptions, as well as the factors the Department considered when deciding where the public interest lies, are listed below:
‘Neither Confirm nor Deny’ (NCND)
There may be occasions when complying with the duty to confirm or deny under section 1(1) (a) would in itself disclose sensitive or potentially damaging information that falls under an exemption. In these circumstances, the Act allows a public authority to respond by refusing to confirm or deny whether it holds the requested information.
The decision to issue a ‘neither confirm nor deny’ response is not affected by whether we do or do not hold the information but relates to the consequences of confirming or denying the information is held. The starting point and main focus in most cases will be theoretical considerations about the consequences of confirming or denying that a particular type of information is held. The decision to neither confirm nor deny is separate from a decision not to disclose information and needs to be taken entirely on its own merits.
PSNI follow the Information Commissioner’s Guidance in relation to ‘NCND’ and you may find it helpful to refer to this at the following link:
Section 24 and 31 are a qualified and prejudice based exemptions and there is a requirement to evidence the Harm in confirming or denying information is held and to conduct a Public Interest Test
Harm
To confirm or deny whether any further information is held in respect of successful cyber-attacks resulting in Data Breaches would provide actual knowledge that where an attempt has been made, it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.
To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber-attacks made against the force, which would present harm as detailed above.
Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber-attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Public Interest Test
Section 24(2) - National Security
Factors favouring complying with Section 1(1)(a) neither confirming or denying that information is held
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confrim whether cyber security attacks have occurred would enable the general public to hold PSNI to account ensuring all such breaches are recorded and investigated appropriately. In the current financial climate of cuts and with the call for transparency of public spending this would enable improved public debate.
Factors against complying with Section 1(1)(a) neither confirming or denying that information is held
Security measures are put in place to protect the community we serve. As evidenced within the harm to confirm where cyber security attacks have occurred would highlight to terrorists and individuals intent on carrying out criminal activity, vulnerabilities within PSNI.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the Police Service to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactive when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Section 31(3) Law Enforcement
Factors favouring complying with Section 1(1)(a) neither confirming or denying that information is held
Confirming that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.
Factors against complying with Section 1(1)(a) neither confirming nor denying that information is held
Confirmation or denial that information is held in this case would suggest PSNI take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
Decision
The points above highlight the merits of confirming or denying the requested information exists. The Police Service of Northern Ireland is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity.
Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In order to comply with statutory requirements and to meet NPCC expectation of the Police Service with regard to the management of information security, a national policy approved by the College of Policing titled National Policing Community Security Policy has been put in place. This policy has been constructed to ensure the delivery of core operational policing by providing appropriate and consistent protection for the information assets of member organisations. A copy of this can be found at the below link:
https://library.college.police.uk/docs/APP-Community-Security-Policy-2014.pdf
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the Police Service. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held.