Norfolk and Suffolk police hit by FoI-linked data breach

Norfolk and Suffolk Constabularies have reported a data breach resulting from a freedom of information (FoI) disclosure, the second such incident involving the apparent accidental mishandling of police data in the space of a week.

The two forces – which have been collaborating on multiple aspects of police work in East Anglia since 2010 – said the data related to crime statistics and was issued over an 11-month period from April 2021 to March 2022.

They said a “technical issue” led to raw data belonging to the forces being included in the files produced in response to the FoI requests – this data was supposedly hidden from anybody opening the files.

It includes personally identifiable information (PII) on approximately 1,230 people who were suspects, victims and witnesses to a number of offences, including domestic violence, sexual offences, assaults, thefts and hate crimes.

The forces said that “strenuous efforts” had been made to determine if anybody else had access to the data, and have as yet found no evidence to suggest this is the case.

Impacted individuals are now being contacted, and the Information Commissioner’s Office (ICO) has been notified. “We would like to apologise that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk,” said Suffolk police assistant chief constable Eamonn Bridger, who has been leading the investigation.

“I would like to reassure the public that procedures for handling FoI requests made to Norfolk and Suffolk constabularies are subject to continuous review to ensure that all data under the constabularies’ control is properly protected.”

While not on the same scale as the incident that hit the Police Service of Northern Ireland (PSNI) earlier in August, which saw the personal data of approximately 10,000 people employed by the force accidentally leaked as part of an FoI response, the latest incident still raises significant concerns.

Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, said: “Anyone disclosing information derived from sensitive datasets should take great care to ensure that they do not inadvertently release other information – spreadsheets in particular are notorious examples of software that can appear to ‘hide’ information, but actually leave it exposed.

“Most public authorities are aware of the risks of this when responding to FoI requests, but mistakes can still be made,” he said. “Given that the Information Commissioner has recently introduced an effective moratorium on fining public authorities, some might now question whether such authorities are being left to operate with insufficient regulatory oversight.”

In the PSNI incident, the risk to officers comes less from the fact that their data may be used by cyber criminals or fraudsters, but rather by dissident groups that reject the peace process.

Speaking on 14 August, PSNI chief constable Simon Byrnes said: “We are now confident that the workforce data set is in the hands of Dissident Republicans.

“It is now a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff,” he said. “I won’t go into detail for operational reasons, but we are working round the clock to assess the risk and take measures to mitigate it.”