The Cabinet Office was this month alerted to a data breach which exposed personal details of a civil servant and a supplier representative.
The department then failed to acknowledge or address the breach for 10 days – which was finally fixed after the press office was asked for comment.
This response can be compared with that of the Department of Health and Social Care which – when alerted at the same time to a very similar incident – seemingly began work on fixing the problem very quickly, and responded to provide details of remedial actions to fix the breach, and take steps to ensure it was not repeated in the future.
On 4 November, the Cabinet Office published a contract-award notice providing information on a £5m one-year deal for “cloud support services” awarded to tech consultancy Thoughtworks. The contract relates to ongoing work to modernise government’s security-vetting processes.
Attached to the notice was the full contract in PDF form.
Attempts had been made to redact the document, including the removal of email and mobile-phone contact details of named individuals, as well as the specifics of pricing and other commercial information the department clearly wished to keep under wraps.
However, the contract text containing these details had only been highlighted in black – and not deleted, or otherwise rendered inaccessible. This means it can still be easily read by copying it and pasting it into another document.
Having discovered the breach, PublicTechnology contacted the dedicated inbox of the department’s data-protection officer at 2.30pm on Friday 11 November, providing details of the incident and enquiring what action might be taken in response.
As of the morning of Monday 21 November – when the press office was contacted to request comment on the incident – no response to this email had been received, and the document containing the exposed personal data was still available online. It was replaced with an updated version – with individuals’ information properly removed this time – the following day.
A spokesperson for the Cabinet Office said: “We take any breaches of security extremely seriously. This issue has been resolved and we are taking steps internally to ensure an incident of this nature does not happen again. The details shared in this document were not of a sensitive nature."
A familiar issue
While it may now be working to ensure this does not happen again, a near-replica of this incident has occurred before. Two years ago, PublicTechnology discovered a breach in which the Cabinet Office had exposed the personal data of an official and a supplier representative by releasing a contract document in which information had been highlighted, rather than deleted.
On that occasion, an initial email to the data-protection officer remained unanswered, and the breach was only fixed shortly after the press office was alerted.
Exposing personal data via highlighting text, rather than proper redaction, is a familiar issue, having been the cause of several breaches.
At the same time that PublicTechnology initially contacted the Cabinet Office, it also contacted the data-protection officer of the Department of Health and Social Care to notify them that the names and email addresses of civil servants and supplier staff had been published in a contract in which this information was, once again, highlighted, and not removed.
Six days later – by which point the document had been removed from the procurement notice – we received a response indicating that the department had taken steps to “ensure this data was contained and protected as soon as logistically possible”.
The DPO also said that, immediately after being alerted to the breach, officials had “begun the process of reviewing why this occurred and how to ensure appropriate awareness, training and insight is provided to colleagues to ensure the risk of an incident such as this occurring again is minimised”.
The department advised that its communications team had been informed and “so that the quality assurance process currently in place can be enhanced”, and that existing programmes – while they are already “consistent and far-reaching” – will contain some tailored content to address the specific issue behind this latest breach.
The issue in question poses such a common risk that guidance documents from the Information Commissioner’s Office on how public sector officials can disclose information safely attempt to address this issue with detailed advice on the nature of the problem, and how to address it.
“An author might be tempted to use the highlighter tool to add a black box around text marked for redaction,” the guidance says. “It is important to recognise that the information still exists underneath the black box.”
"Care must be taken when publishing information to avoid inadvertent disclosures. Our website has advice on how to disclose information safely."
ICO 's new approach
Earlier this year, the ICO announced that it was changing the approach it takes to working with the public sector, and intends to focus more on raising standards – and calling out bad practice, where necessary – but less on financial punishments. As part of this new ethos, the regulator recently revealed it was reducing, from £500,000 to £50,000, the fine being levied on the Cabinet Office for the breach in which personal details of more than 1,000 recipients of the New Year Honours in 2020 were exposed.
In a statement sent to PublicTechnology for this story, an ICO spokesperson said: “We are working with the public sector to ensure people’s information is being looked after, as part of our new approach to working more effectively with public authorities. Care must be taken when publishing information to avoid inadvertent disclosures. Our website has advice on how to disclose information safely.”
Sam Trendall is editor of PublicTechnology, where a version of this story first appeared