UK: ICO fines Cabinet Office £500,000 for New Year Honours data breach
The Information Commissioner's Office ('ICO') published, on 2 December 2021, its monetary penalty notice and enforcement notice, as issued on 15 November 2021, in which it imposed a fine of £500,000 on the Cabinet Office for violations of Articles 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following disclosure of the postal addresses of the 2020 New Year Honours recipients online.
Background to the notice
In particular, the notice provides that the Cabinet Office published, on 27 December 2019, a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list, including individuals from a range of professions and with a high public profile. Additionally, the notice highlights that, although the Cabinet Office removed the link to the file once it became aware of the data breach, the file was still cached and accessible online to people who had the exact webpage address, resulting in the access to the personal data of individuals 3,872 times, for a period of two hours and 21 minutes.
The ICO further noted that this, in turn, resulted in the ICO receiving three complaints from affected individuals who raised personal safety concerns resulting from the breach, whilst the Cabinet Office was also contacted by 27 individuals with similar concerns.
Findings of the ICO
The ICO found that the Cabinet Office failed to put appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk associated with the processing of data for the purpose of the 2020 New Year Honours List, resulting in an infringement of the principle of integrity and confidentiality under Article 5(1)(f) of the GDPR, as well as Article 32 of the GDPR.
Within its notice of intent, the ICO proposed a penalty of £600,000, following which the Cabinet Office provided written representations stating, among other things, that it found the level of the fine to be disproportionate to the scale of the breach. As a result of considering such representations among other factors, the ICO imposed a penalty of £500,000 on the Cabinet Office, considering, among other things, that the acts were negligent, the effective cooperation and response of the Cabinet office, and the fact that the ICO has not been aware of any financial hardships or factors that would reduce the Cabinet Office's ability to pay.
You can read the press releases here and here, and the monetary penalty notice here.
UPDATE (3 November 2022)
ICO reduces fine imposed on Cabinet Office to £50,000 following appeal
The ICO announced, on 3 November 2022, that it has agreed to reduce the £500,000 monetary penalty notice it had imposed on the Cabinet Office in 2021 in relation to the New Year Honours data breach, to £50,000, which the Cabinet Office has agreed to pay. In particular, the ICO stated that this agreement reflects its new approach to working more effectively with public authorities. In this regard, the ICO specified that the Cabinet Office had appealed against the initial amount of the fine to the First-tier Tribunal (General Regulatory Chamber) in December 2021, alleging that the level of penalty was disproportionate to the breach, and that the appeal related solely to the amount of the fine.
Notably, the ICO highlighted that under the agreement reached between the parties, which has been approved by the Tribunal, the ICO has agreed to a reduction in the amount of the fine to £50,000 and that the Cabinet Office's appeal before the Tribunal has been dismissed.
You can read the press release here.