A major data breach within the Police Service of Northern Ireland (PSNI) was due to gross negligence and systemic failures, the High Court in Belfast heard on Monday.
Counsel for thousands of the officers and civilian staff suing over the release of their personal details claimed at least four individuals could have spotted what was about to be accidentally published.
A judge was also told the disclosure came at a time when dissident republican terrorists were assessed as posing a severe threat.
Legal action centres on the unprecedented data breach which occurred in August 2023.
RM Block
Names, ranks and roles of nearly 9,500 PSNI officers and staff were inadvertently published in response to a Freedom of Information (FoI) request.
The details were downloaded as an Excel file from the PSNI’s human resources management system and then uploaded onto a website.
Within days of the leak it was confirmed that dissident republicans had accessed the information.
Up to 8,500 of those affected are seeking damages, with group actions being pursued and six test cases identified as part of efforts to manage the scale of litigation.
Claims have been brought for negligence and breaches of data protection and privacy.
Although the PSNI has already accepted liability for what happened, the court heard it does not have the funding to settle the actions.
Last week, it emerged the UK Treasury has rejected a request from the Stormont Executive for financial help in footing the overall estimated £120 million (€137 million) bill.
Despite all plaintiffs being granted anonymity, evidence in the first test case was put on hold on Monday amid issues about screening the witness from public view.
Instead, Gavin Millar KC made opening submissions on behalf of thousands of those seeking compensation.
He set out how the FoI request led to the PSNI’s entire workforce data being attached to the document proposed for disclosure.
“At least four people, as it went through that internal process, failed to spot the tab with this huge quantity of data,” Mr Millar told the court.
“It’s gross negligence, it’s a systemic failure and that will have to sound on damages.”
The PSNI has already been fined £750,000 by the Information Commissioner’s Office for the data breach.
But according to counsel, the incident was so serious that a private sector organisation would have faced a penalty of more than £5 million.
He told the court that a section of the document with the personal details was posted on a wall in west Belfast later that month.
“All of this was happening at a time when a severe terrorist threat was recognised by MI5,” Mr Millar said.
“(And) there are continuing concerns about possession of the spreadsheet, you can’t quantify who has got it and what they are doing with it.”
He argued there was a lack of care shown for serving police officers who had taken care to ensure only close family and friends knew about their jobs.
Referring to how some staff learned of the breach, the barrister added: “You will hear evidence from plaintiffs that the media had the story before that notification went out from the PSNI.”
Earlier in the hearing, counsel for the Chief Constable Jon Boutcher confirmed the force was currently not in a financial position to try to settle the claims through a “universal offer”.
“That offer cannot be made in the absence of funding from the UK Treasury; the Northern Ireland Executive does not have the funding,” he told the court.
The case continues.
