The ICO has announced it has issued the Cabinet Office with a monetary penalty notice, and imposed a fine of £500,000 for failing to implement appropriate technical and organisational measures to keep personal data secure, in contravention of the General Data Protection Regulation (GDPR).

Contravention by the Cabinet Office

On 27 to 28 December 2019, the Cabinet Office erroneously published on-line the full postal addresses of individuals names as recipients of awards in the 2020 New Years Honours List.

This included the names and unredacted addresses of more than 1,000 people announced in the New Years Honours List, many of whom had high public profiles.

The file remained on-line for a period of two hours and 21 minutes.  According to the ICO, in this time it was accessed 3,872 times.

Those affected by the data breach were potentially exposed to the risk of identity fraud and threats to their personal safety.

ICO investigation

The ICO’s investigation determined that the Cabinet Office had failed to process personal data in a manner that ensured the appropriate security of the personal data.  This was in breach of Article 5(1)(f).

In addition, the ICO’s investigation determined that the Cabinet Office did not have in place appropriate technical and organisational measures to ensure a high level of security appropriate to the risk associated with processing the data for the purposes of the 2020 Honours List.

Financial penalty 

Following a full incident review, it is understood the Cabinet Office ensured that operational and technical measures to improve the security of its systems were introduced.  An independent review focussing on data handling was completed in 2020.

The notice of intent dated 16 September 2021 proposed a penalty of £600,000.  This was subsequently reduced to £500,000 by the monetary penalty notice issued by the ICO to the Cabinet Office.