The UK’s data-protection regulator has fined the Cabinet Office £500,000 and criticised the “complacency” that saw the personal data of 1,097 people published online.
Following the award of the New Year honours in late 2019, the department erroneously published on GOV.UK a file featuring names and personal details – including home addresses – of those recognised by the Queen. The file remained available online for two hours and 21 minutes and was accessed 3,872 times.
Those affected by the breach included celebrities such as the singer Elton John (pictured above), chef Nadiya Hussain, and cricketer Ben Stokes, as well as the Cabinet Office’s own permanent secretary, John Manzoni, who was knighted – several months before he left government.
Over the course of its investigation into the incident, the ICO received formal complaints from three people affected by the breach. The Cabinet Office, meanwhile, was contacted by 27 people concerned about a potential risk to their safety.
The regulator has concluded that the department broke data-protection laws by dint of its failure to “put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information”. The breach has been punished with a fine of £500,000.
The ICO’s director of investigations Steve Eckersley said: “When data breaches happen, they have real-life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.
"The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.
"The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”
The Cabinet Office indicated that it had informed the watchdog as soon as the breach was discovered. The ICO noted, however, that even after the department “removed the weblink to the file… [it] was still cached and accessible online to people who had the exact webpage address”.
Shortly after the incident, ministers announced that the Cabinet Office would undergo an independent review of its data-handling procedures.
That exercise, led by BT executive and former Home Office non-executive director Adrian Joseph, found “pockets of best practice” undermined by “concerning lapses” in behaviour and processes.
Responding to the ICO’s judgement and penalty, the department said that the IT system used to manage honours awards – which was being used for the first time at the start of 2020 – has long since been amended to include additional checks that should prevent another such slip-up.
The relevant database now produces a separate file shorn of postal addresses, while all staff in the Honours and Appointments Secretariat have undergone a refresher course of government’s Responsible for Information e-learning course.
Following a technical review by the Government Digital Service, the caching time frame for any documents made available online has been cut from 24 hours to 30 minutes.
A Cabinet Office spokesperson said: “The Cabinet Office would like to reiterate our apology for this incident. We took action to mitigate any potential harm by immediately informing the Information Commissioner and everyone affected by the breach.
"We take the findings of the information commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again. This includes a review of the overall security of the system, information management training and improving internal processes for how data is handled by the honours team.”
The £500,000 sanction imposed on the department was, until 2018, the maxium financial penalty available to the ICO. But, with the law now providing for fines of up to £17m or 4% of an organisation's global turnover, the Cabinet Office's punishment appears comparatively lenient.
Since the tougher data-protection laws came into effect, British Airways and hotel chain Marriott have been hit with respective penalties of £20m and £18.4m – albeit these figures were each greatly reduced from the originally intended fines of £183m and £99m.
Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared