Step into…a New Year honours data breach

The ICO has fined the Cabinet Office £500,000 for disclosing the postal addresses of 2020 New Year honours recipients online, including high-profile names such Sir Elton John, Ben Stokes and Ainsley Harriott.

More than a thousand people had their name and address published in a file on the gov.uk website which was accessed 3,872 times in the two hours and 21 minutes it was available. The ICO received three complaints from individuals affected by the breach who cited concerns about their personal safety. The Cabinet Office itself received a further 27 complaints.

What happened?

In 2019, the Cabinet Office’s Honours and Appointments Secretariat (‘HAS’) incorrectly set up a new IT software package to process the public nominations for the New Year Honours. This meant that a CSV file was generated that included postal address data – something it should not have done and which had not been requested in the original build requirements. During testing, the postal address column went unnoticed.

In late December the error was identified by HAS, but they were under time pressure to release the New Year Honours list. So, instead of updating the software to ensure that only publication-ready documents were produced, they took a shortcut by amending the output; i.e. the CSV file generated. Following further changes, an updated CSV file was generated for publication. But this time round an employee not usually responsible for the process who was aware that postal address data should not be included, hid that column instead of deleting it. Further checks did not pick this up as the postal address data was not visible.

Since there was no formal process in place to sign-off documents containing personal data prior to their publication, the mistake went unchecked and the hidden postal address data became visible once the document was uploaded to gov.uk and became publicly accessible.

As well as taking a number of steps to contain the incident and mitigate its impact, the Cabinet Office apologised, completed an internal review and put in place a number of measures to reduce the likelihood of it happening again. In additional to this, an independent review of the Cabinet Office’s data handling was published in March 2020 and made a number of behavioural, cultural and procedural recommendations.

Comment

This fine serves as a reminder to organisations that implementing and adhering to robust processes is crucial, particularly where there are tight deadlines. In this instance, the introduction of new software and a lack of clarity about sign-off processes for documents published online were two factors which contributed  to the breach. The decision also reiterates the importance of training in the workplace. There was a lack of take-up of data protection training generally in the Cabinet Office, and the team involved in publishing the data had not received any recent training either. The absence of role-based training was equally conspicuous: no training on document redaction had been provided by the Cabinet Office, something which was identified as being particularly relevant given the circumstances of the breach. So people and processes remain just as important as any technical controls in place.