Policing Board member Mike Nesbitt intends to grill Chief Constable Simon Byrne over 'vagueness' of statement on theft of police laptop, radio and data sheet

The Ulster Unionist MLA has written to the Chief Constable, Simon Byrne, questioning the statement the PSNI released on Saturday concerning the theft of t he items from a private vehicle belonging to a police officer in the Newtownabbey area. One of his concerns is that it took eight days for the 200 officers and police staff, whose details were on the stolen data sheet, to be notified of of the breach which occurred before the PSNI’s catastrophic FOI blunder.

Mr Nesbitt said: “The timelines in the statement do not make sense to me. They need interrogation and I intend to do so at the next session between the chief constable and the Policing Board. I have four areas for clarification.

"First, why did it take three weeks for senior officers at headquarters to become aware? It’s not the first time in recent times there has been an undue delay between an adverse event and the information reaching the senior executive team. That suggests a systemic failure that needs addressed urgently.

“Secondly, I am concerned it took HQ eight days to alert the 200 officers and staff that a data sheet containing their names had been stolen. The PSNI say they had to confirm the exact nature of the missing data. I would have thought all they had to do was ask the officer whose car was broken into to identify the data set. I cannot speak for the 200, but if I was one of them, I would be extremely angry I was allowed to go about my daily life for over a week before being told some of my personal details had been stolen.

“Thirdly, why was there a four-day delay in alerting the information commissioner? The PSNI statement says they wanted to be sure that ‘accurate information’ was passed to the commission office. Yet, Section 67 of the Data Protection Act 2018 says a breach should be reported ‘without undue delay’ and ‘where feasible not later than 72 hours after becoming aware of it’. That is three days, not four.

He continued: "I would have thought it would have been best practise to alert the commissioner as soon as HQ became aware on July 27, if only to inform him of the headline fact of the theft, with a promise to revert once full detail was established.

“The most puzzling aspect is the lack of clarity about when exactly they deactivated remotely the missing laptop and radio. The statement mentions the theft on July 6 and suggests the devices were deactivated shortly afterwards. That implies the remedial action took place well before HQ were aware, so who had the authority to order deactivation without informing headquarters?

“The vagueness is in stark contrast to the pinpoint accuracy the PSNI provided the board about the timeline of the larger, catastrophic data breach of the 10,000 names. Here, we were informed to the minute, of when the data was uploaded, when the PSNI were alerted to what they had done, and when they informed the Information Commissioner’s Office – that was minutes, not days.”

Assistant Chief Constable Chris Todd said: “We updated the Northern Ireland Policing Board on the Newtownabbey data breach last week. We will continue to keep the Board appraised. However, as there is an ongoing investigation we have no further comment to make at this time.”