UK: ICO fines Cabinet Office £500,000 for New Year Honours data breach
The Information Commissioner's Office ('ICO') published, on 2 December 2021, its monetary penalty notice and enforcement notice, as issued on 15 November 2021, in which it imposed a fine of £500,000 on the Cabinet Office for violations of Articles 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following disclosure of the postal addresses of the 2020 New Year Honours recipients online.
Background to the notice
In particular, the notice provides that the Cabinet Office published, on 27 December 2019, a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list, including individuals from a range of professions and with a high public profile. Additionally, the notice highlights that, although the Cabinet Office removed the link to the file once it became aware of the data breach, the file was still cached and accessible online to people who had the exact webpage address, resulting in the access to the personal data of individuals 3,872 times, for a period of two hours and 21 minutes.
The ICO further noted that this, in turn, resulted in the ICO receiving three complaints from affected individuals who raised personal safety concerns resulting from the breach, whilst the Cabinet Office was also contacted by 27 individuals with similar concerns.
Findings of the ICO
The ICO found that the Cabinet Office failed to put appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk associated with the processing of data for the purpose of the 2020 New Year Honours List, resulting in an infringement of the principle of integrity and confidentiality under Article 5(1)(f) of the GDPR, as well as Article 32 of the GDPR.
Within its notice of intent, the ICO proposed a penalty of £600,000, following which the Cabinet Office provided written representations stating, among other things, that it found the level of the fine to be disproportionate to the scale of the breach. As a result of considering such representations among other factors, the ICO imposed a penalty of £500,000 on the Cabinet Office, considering, among other things, that the acts were negligent, the effective cooperation and response of the Cabinet office, and the fact that the ICO has not been aware of any financial hardships or factors that would reduce the Cabinet Office's ability to pay.