On 27 December 2019, a version of the New Year’s Honours 2020 list was accidentally published online by the Cabinet Office. This high-profile breach raises serious issues of privacy and data protection because of the profiles of the affected individuals and the fact that the responsible controller is the Cabinet Office.
The document was published “in error” and contained address details of people receiving the highest honours, such as house numbers and postcodes of home addresses. The Cabinet Office removed the information and informed all data subjects concerned, however versions of the spreadsheet were subsequently re-uploaded on social media. Whilst the downloadable document containing the personal data only remained online for around an hour, the exact data breach volume and damage suffered by data subjects remains unknown.
It would not be surprising for this incident to lead to substantial claims for compensation. The Police Federation of England and Wales has already made public its concerns about the security implications for those of its members who were affected, which included police officers working on very sensitive investigations. The list also included many celebrities, sports stars and those prominent in business and the arts; most of whom would be expected to be highly protective of their address details for security reasons.
This incident bears remarkable resemblance to the case of TLT, in which a spreadsheet containing the personal details of 1,598 applicants for asylum was accidentally uploaded to a website by the Home Office, with seriously detrimental impact on those affected. This included vulnerable asylum applicants who were put at risk of physical harm by the disclosure. TLT and another family member were awarded £12,500 damages – currently the high-watermark for data breach compensation. Presciently, in a related appeal judgment, Lord Justice Gross said ‘The data error here had serious consequences, which should not be minimised. It was neither the first nor will it be the last of such human errors, whether made by government departments or others’.
Whilst the exact cause of the disclosure is under investigation and remains to be established, the incident highlights the inherent risk of human error and the importance for data controllers to implement accurate and effective internal procedures that allow for immediate reactions and minimize the risks for the people concerned by putting in place remediation plans.
As required under data protection legislation, the Cabinet Office has self-reported the incident to the Information Commissioner’s Office (ICO). One would expect, as part of the ICO’s response, careful consideration of the importance of maintaining confidence in the national regulatory system governing data privacy.
Withers regularly advises clients in respect of personal data breaches including compensation, regaining control of lost personal information and preventing misuse of leaked data, who needs to be notified and how to communicate with affected individuals. For further information contact Chloe Flascher and Jo Sanders.