The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.
It found that the department failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information, thereby breaching data protection law.
On 27 December 2019 the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions across the UK were affected, including individuals with a high public profile.
This derived from the IT system being set up incorrectly and subsequently generating a CSV file that included postal address data. Due to tight timescales to get the list published, the Honours and Appointments Secretariat (HAS) operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included in the file.
After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, it was still cached and accessible online to people who had the exact webpage address.
The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.
No process
The Cabinet Office confirmed that there was no specific or written process in place in HAS at the time to sign off documents and content containing personal data prior to being sent for publication.
Due to the data being published in the public domain, the ICO received three complaints from affected individuals who raised personal safety concerns resulting from the breach. The Cabinet Office was also contacted by 27 individuals with similar concerns.
Steve Eckersley, ICO director of investigations, said: “When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.
“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”
Image from iStock, GOCMEN
