Northern Ireland police leak: tech people, how can this happen?

[PostOpOp]

This is a half-AIBU because if it's genuine error then whoever rid it must be seriously feeling bad and I'm not wanting to make that worse.

But AIBU to think that it should be impossible for personal information to be able to be posted online? I cannot understand how it could happen, even by mistake. I'm not a tech professional and have minor experience with tech, but do have some. I also have some experience of keeping information confidential. And I cannot see how it can be possible in a normal system for this to happen. In the PSNI though, that's multiplied exponentially - just how?

I mean I'd have thought that the tech dept. potentially has access to everything, but not everyone in the dept has access to everything. And can't certain database files be made virtually impossible to be moved/uploaded/exported? I'm really not understanding how this could just happen at a click of a button, rather than lots of hoops being gone through first.

Like I said, if it was a genuine mistake then someone is feeling horrific (although they likely were let down by a weak system) and I'm not wanting to pile on them. But technically, AIBU to think it is very odd that this was even possible?

Have you ever worked in the public sector out of interest? I think you have an inflated view of their budgets and the systems they use. Not saying its right at all, but this is fantasy for most departments.

If all they needed was top level info, surely they could've c&p the summary into a word doc or something? Crazy that this happened at all. They clearly have shit procedures.

I said possible, not likely :p

But yes, as I said up thread, my previous role worked with prisons, and before that schools.

Don't get me started on the budgets angle - I worked in parallel support services, with free rein over technological choices. Aka, used vastly superior technology that was also substantially cheaper. Procurement is the death of technology.

True - and that's very likely in place, although not to be guaranteed.

Ultimately, this must've been done by somebody who a) had access to the personal data of the employees to be able to export it, but b) wasn't competent enough to justify having access to that personal data.

Well, the poor shmuck might not have had anything to do with the upload. Might not even have had the context of the request - just "give me a list". Then the data pivoted by someone else, possibly.

Making the list in and of itself would be a risk, of course.

Yeah, that last bit is kind of my point. I've worked for a few financial companies, and usually the easiest way to kill a request for a spreadsheet report is to ask, "Why do you need that data as a spreadsheet?". Amazing how many people don't ask that question.

But it goes back to your earlier points about information security - part of having access to any piece of data is having the responsibility to not give it to somebody who doesn't have the same level of data security training, responsibility and competence. If everybody paid attention to that simple principle, data leaks via human vector would never happen.

The issue with the publics tax money though is that it has to go through some sort of procurement process, not sure how it makes it more expensive if done correctly though, especially now with G Cloud and responsive frameworks. The issue is extrapolating a lot of these systems across whole networks and departments is expensive regardless, and so changing things is just not affordable.

@ntmdino it was an FOI which is supposed to be applicant blind you're not allowed to ask why the person wants it, that's set out in FOI act

If I ever make a fuck up in work, I'll just think of this incident and I won't feel as bad.

Yes, I know it was an FOI request. However, certain pieces of data are exempt by definition - like the personal data of employees. Hence the "incompetence" angle.

I believe the information is sent directly to the website so it isn't actually emailed to anyone.If you look at the website you can see the PSNI request to withdraw the previous information. This instantly created more interest.

Agreed - but I guess by the same token, any data or systems work would also cease entirely, because that level of competence and training would also never happen. The big problem being that people just accept that it being impossible to solve entirely means they don't try.

Yup. Or, as is often the case (and maybe even in this case), the very public-sector approach of "It's somebody else's problem".

The spreadsheets I use are pretty basic, so maybe this is a stupid question, but was the name and address spreadsheet attached as a separate document, or was it somehow accessible from within the more vague document? And if the latter, could that have been avoided by submitting the vague document as a pdf and not a spreadsheet?

I mean station addresses, I know personal addresses haven't been released.

Usually mine!

There's a growing trend in my sector to deal with resource issues by doing worthy presentations on "everyone is responsible for procurement", "everyone is responsible for budgets" etc.

This is entirely ridiculous, because the only thing that everyone is is sick of these presentations telling them about another damn responsibility that's not on their job description.

It's a corollary to "none of us are as dumb as all of us" - "when it's everybody's responsibility, it's nobody's responsibility".

Thanks for the replies on this. Thanks for the explanations. I hadn't realised it had been emailed to a website that automatically publishes either.

It's a really horrific mistake. I'm under no illusion about the fallacy of human "perfection" either. It's something that drives me up the wall. I believe systems aren't safe/secure unless they assume there will be human error at every stage, and have safeguards against them!

And to the people who are reading this who are in or have relatives in the PSNI my thoughts are with you. It's a live threat to the life and safety of every single person in the PSNI - something I think that many outside the country don't fully appreciate. It's a genuine mistake but the ramifications are horrific. Living in fear isn't a life.

A decent system would allow you to filter / report on the information - provided the results required fit in with the system specifications.
An FOI can ask anything of a government body.

The question was:

Could you please provide me with the number of officers and staff at each rank or grade distinguishing between how many are substantive/temporary/acting as of 01/08/2023. Could you please provide this information in the form of tables for officers and tables for staff.

https://www.whatdotheyknow.com/request/numbers_of_officers_and_staff_at#incoming-2387685

The PSNI HR system will have held that, and line managers would have on screen access to lists of their staff.
Unless there is a central HR department (which have been scaled down across government) there would not be an existing cross PSNI report counting numbers of staff with a breakdown of status

There is a legal obligation to comply with FOIs in a timely manner, and in the absence of such a report it may not be practical to commission a system change for one FOI, or if planned to do so would not make the changes in time to complete an FOI
A commercial organisation can judge the priority and either conduct the change or reject the report - putting in extra resources / funding for a faster change if required

The data extract may have been available via the software to an empowered user with global access or may have been pulled from the underlying data itself by a system administrator