By Julian O’Neill
BBC News NI home affairs correspondent
Two hundred officers and staff of the Police Service of Northern Ireland were not informed of the theft of personal data from a superintendent’s car for a month, police have admitted.
Police said news of the security breach in Newtownabbey was relayed to affected individuals on 4 August.
A document containing the names of officers and staff was taken along with a police-issue laptop on 6 July.
The police said the nature of the missing data had to be confirmed.
The senior officer remains in his post while the subject of an investigation into the loss of the items from a car parked outside a retail complex.
This data breach is one of two such leaks affecting data about the employees of the Police Service of Northern Ireland (PSNI).
On Tuesday, the PSNI mistakenly shared details of about 10,000 employees. The chief constable has apologised.
The PSNI’s data risk management unit was first informed of the theft incident on 27 July.
However, in response to questions from BBC News NI, it has emerged that individuals were not advised of the data leak, which could have compromised their security, until 4 August.
BBC News NI understands that what happened during the intervening weeks is being urgently reviewed.
Police radio stolen
The document contained the full names and work locations of more than 200 officers and support staff. It did not reveal any home addresses.
The laptop is password protected and its contents are believed to have been remotely erased by the PSNI. However, the police have not said on what date this was done.
A police radio was also stolen.
Timeline of Newtownabbey data theft
- 3 July: Laptop, radio and document stolen from car
- 27 July: PSNI information security unit informed
- 31 July: Information Commissioners Office informed
- 4 Aug: Affected staff told
In a statement on Saturday, Assistant Chief Constable Chris Todd confirmed the police were investigating the circumstances of the theft.
“Our Information Security Unit were informed on 27th July,” he said.
“As there was a delay, our Information Security Unit had to conduct their own enquiries to be clear on what accurate information could be conveyed to the Information Commissioners Office who were then informed on the 31st July.
“The precise nature of the missing data had to be confirmed before we could inform our officers and staff on the 4th August.
“We have worked with our Data Protection Officer and sought legal advice and guidance to ensure the information we provided to our employees was accurate.”
The Superintendent Association of Northern Ireland (SANI) confirmed that one of its members is involved, adding that a “disciplinary process is under way”.
‘Opportunities to stop leak’
The information released in the first data breach was accidentally included in a response to a freedom of information (FoI) request.
It included the surname and first initial of every employee, their rank or grade, where they are based and the unit they work in, including sensitive areas such as surveillance and intelligence.
It appeared on the internet for a few hours but was later taken down.
Mike Nesbitt, from the Ulster Unionist Party (UUP) and a member of the Policing Board, said the PSNI had multiple opportunities to stop the publication of that information.
“It was my understanding from the police that no one individual or indeed single department was responsible for the leak,” he said.
He added that there were “multiple opportunities for a number of individuals to spot that the spreadsheet had a facility on it where with one click you could get behind what was on your computer screen and access all the source data, the names, the ranks, the positions”.