Cabinet Office fine over honours data breach slashed by 90% amid ‘economic pressure’

ICO says £500k penalty was proportionate, but reduction signals changing approach to public sector
Photo: Conall/Flickr/CC BY 2.0

By Sam Trendall

11 Nov 2022

The Information Commissioner’s Office has agreed a 90% reduction to the fine payable by the Cabinet Office over the New Year honours data breach of three years ago.

The watchdog claimed that the reduced penalty is, in part, in recognition of the economic challenges facing governemnt. It is also reflective of the new approach the ICO is taking to working with public authorities – which will focus less on monetary punishments, and more on helping to raise standards.

In a penalty notice issued last year – during the tenure of the previous commissioner, Elizabeth Denham – the regulator imposed on the Cabinet Office a fine of £500,000 in relation to the breach. The incident, which took place on 27 December 2019, saw the department publish online the names and addresses of more than 1,000 people recognised in the 2020 New Year honours. Those affected by the breach included Sir Elton John, Nadiya Hussain, and Ben Stokes. 

Personal details uncovered during the incident were accessed a total of 3,872 times during the two hours and 21 minutes that they were accessible online. The ICO received three complains from individuals whose information was published, while 27 people contacted the Cabinet Office to express concerns.

John Edwards – who began his term as information commissioner at the start of this year – said that the size of the originally imposed punishment had been fair. But, in line with a new and more collaborative approach he set out earlier this year, the regulator wished to work with public bodies to encourage, rather than enforce, compliance.

“The ICO is a pragmatic, proportionate and effective regulator, focusing on making a difference to people’s lives,” he said. “While I consider the original fine was proportionate in all the circumstances of this case due to the potential impact on the people affected by the breach, I recognise the current economic pressures public bodies are facing, and the fact that in certain cases fines may be less critical in achieving deterrence.

"We welcome the agreement reached with the Cabinet Office and we will continue to work with them to ensure people’s information are being looked after.”

Edwards added: “Since the fine was issued last year, I have adopted a new approach to working more effectively with public authorities to raise data protection standards. As I have explained, in certain circumstances large fines on their own may not be as effective a deterrent within the public sector. I am willing to use my discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice.”

A Cabinet Office spokesperson said: “We note the ICO's update on this case. We are pleased to have reached a resolution and have welcomed the opportunity to work constructively with the Information Commissioner."

The ICO’s new approach to the public sector was announced by the commissioner in an open letter published in June. The drive to help government bodies improve standards is likely to result in fewer and smaller fines being issued – but an increase in public reprimands for those that do fail to meet their compliance requirements.

This new ethos was exemplified by a recent announcement in which seven organisations were scolded over their failure to meet their obligations in responding to subject access requests – the mechanism which allows citizens to request information and copies of any personal data held on them by businesses or public bodies. Among the organisations reprimanded were the Home Office, Ministry of Defence, Kent Police, and local authorities in the London boroughs of Lambeth, Hackney, and Croydon. Telecommunications firm Virgin Media was also issued with a reprimand.

The Department for Education had recently avoided a £10m fine over what Edwards called a "woeful" breach in which a screening firm was given access to children's data, which it used to carry out gambling age-verification checks.

Speaking to CSW's sister title PublicTechnology at the time, Edwards said publicising the action taken against the orgainsations – none of which have been fined – is “very much” part of the new approach. The next step is to help them do better, he added.

“We will work with organisations who want to improve, and we will give them guidance and tools to get them where they want to be. But, if they are failing to meet their statutory obligations, we will call it out,” the commissioner said.

“We are going to be developing more resources: we are talking about designing a tool for people to make requests – which will help people narrow their request – and we will also deliver targeted guidance [for public bodies].”

Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared

Read the most recent articles written by Sam Trendall - Cabinet Office alerted to data breach – and fails to respond for 10 days

Share this page