The New Year Honours Data Breach

man in santa claus costume

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However more media attention this year has been on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26thDecember. The Cabinet Office said the list was downloadable from its website for around an hour and was taken down in the early hours of Saturday. The vast majority of people on the list had their house numbers, street names and postcodes published with their name.

Such a breach can result in the Information Commissioner’s Office (ICO) issuing a fine of up to 4% of a company’s annual global turnover or £17m, whichever is greater. It comes hot on the heels of the first GDPR fine issued to a London based pharmacy. Doorstep Dispensaree Ltd was fined £275,000 for careless storage of the medical data of half a million people. We are also waiting for a final decision on whether, and how much, British Airways and Marriot International will be fined after both were issued with Notices of Intent for millions of pounds.

The Cabinet Office, which (ironically) manages the UK’s cybersecurity, has apologised for the breach and said it is investigating the cause. The ICO is also “making inquiries.” Can the Cabinet Office expect a large fine? Article 83(2) of GDPR requires the ICO, when deciding whether to impose a fine and the amount, to have due regard to various factors including (amongst others):

  • The nature, gravity and duration of the infringement
  • The number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the responsible party to mitigate the damage suffered by data subjects
  • The degree of cooperation with the ICO, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the ICO, in particular whether, and if so to what extent, it was notified of the infringement
  • Any other aggravating or mitigating factor applicable to the circumstances of the case

Whilst this data breach involved over 1000 people, the effect on each will be different. The leak could endanger the lives of some of them e.g police and government officials. “A number of those receiving honours are employed in extremely sensitive positions in the police and intelligence agencies,” Richard Walton, the former head of counterterrorism at Scotland Yard, told the Sunday Times.

“The release of the private addresses of these individuals into the public domain will mean that a threat and risk assessment will need to be undertaken resulting in some having new private security measures introduced into their homes,” he added.

The fact that the Cabinet Office took almost immediate action to remedy the situation and reported the data breach to the ICO will count in its favour. It has also said that it is contacting the individuals affected and providing them with guidance if they have security concerns.  As long as the Cabinet Office can satisfy the ICO that it had appropriate security measures in place and staff were aware of their data protection obligations, my personal view is that the ICO will exercise one of its less serious corrective powers, under Article 58(2) of GDPR, most probably a warning. Depending on what it discovers during its investigation, it may also issue an Enforcement Notice under Section 149 of the Data Protection Act 2018.

Training and awareness of staff involved in the data breach will also be one of the areas the ICO will wish to focus on during its investigation. Most of the audits and advisory visits completed recently feature recommendations on this topic. (See for example the report into North Bristol NHS Trust and Essex Police.) Our new e-learning course, GDPR Essentials is ideal for training frontline staff.

Even if the ICO decides not to impose a fine the Cabinet Office (at least in theory) faces the threat of legal action by those affected by the data breach.  Article 79 and 82 of GDPR give them a free-standing right to sue the Cabinet Office in the civil courts for compensation for the material and non-material damage suffered. A recent Court of Appeal decision as well as S.168 of the DPA make it clear that this includes distress. Much depends on the attitude of the affected individuals. Many may just be grateful for the accolade and will not want to sour relations with the Government. Others may put it down to human error and move on.

The Guardian reports that it was alerted to the list by a member of the public. So what of those who managed to download the full list, with the addresses, in the hour or so that it was available?  Section 170 of the DPA 2018 makes it a criminal offence to “… after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”

There will be much to learn from conclusion of the ICO’s investigation into this high profile data breach. Whatever the outcome, it has certainly highlighted the importance of getting data protection right.  Furthermore, GDPR is now being mentioned in the same sentence as Sir Elton John, Ainsley Harriott and Olivia Newton-John. Proof, if it were needed, that data protection is cool!

These and other GDPR developments will be discussed in detail in our GDPR update workshop. Our new new e-learning course, GDPR Essentials will help you train your staff in 30 minutes. Watch the demo here

Photo by bruce mars on


Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

%d bloggers like this: