The UK’s Information Commissioner’s Office (ICO) has fined the Cabinet Office because it failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of recipients of New Year’s honours.
Twice a year, the government dishes out a mixed bag of honours – knighthood and Order of the Bath etc. – to a list of people deemed worthy.
The ICO has now fined the Cabinet Office – the unit that works across government departments on behalf of the prime minister – £500,000 for the unauthorised disclosure of people’s information, which is a breach of data protection law, during the 27 December 2019 gong bonanza.
The Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file, but cunning miscreants cached the file and ensured it was accessible online.
The personal data was available online for a period of two hours and 21 minutes and was accessed 3,872 times, the ICO said. It received three complaints from affected individuals who raised personal safety concerns resulting from the breach. The Cabinet Office was also contacted by 27 individuals with similar concerns.
ICO investigations director Steve Eckersley said: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety. The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”
According to the ICO, the Honours and Appointments Secretariat (HAS) within the Cabinet Office introduced a new IT system in 2019 to process the public nominations for the New Year Honours. But it was set up incorrectly, resulting in CSV files that included postal address data.
Due to tight timescales to get the New Year Honours list published, the HAS operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included in the file.
The Cabinet Office has since instigated a number of operational and technical measures to improve the security of its systems, and an independent review focusing on data handling was completed in 2020. Elizabeth Denham left her post as Information Commissioner on 30 November 2021. John Edwards, New Zealand’s Privacy Commissioner, will take up the post on 3 January 2022.
In the meantime, Paul Arnold, the ICO’s deputy chief executive, will be designated as the ICO’s accounting officer from 1 December 2021 until 2 January 2022. ®