Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

This decision comes hot on the heels of other ICO penalty decisions, including its recent decisions to fine two charities £10,000 and £25,000 for breaching the UK GDPR. As this latest decision concerns the data of high-profile individuals, there are a number of takeaways for production companies.

What happened?

In December 2019 the Cabinet Office accidentally published on GOV.UK a CSV file containing the names and postal addresses of more than 1,000 people included on the New Year Honours list. The list included individuals from a wide range of professions, including high-profile individuals.

A member of the Government Communications Team came across the breach “by chance” and alerted the Cabinet Office Press Team. The file was permanently deleted from the website two hours and 21 minutes after it was published. Before its deletion, it was accessed 3,872 times from 2,798 IP addresses.

The Cabinet Office reported the breach to the ICO within 72 hours of discovering it.

The decision

Following an investigation, the ICO found that the Cabinet Office had breached Article 32(1) of the UK GDPR because it had failed to put in place appropriate technical and organisational measures which reflected the risk associated with the processing of the data.

The ICO initially issued the Cabinet Office with a notice of intent to impose a penalty of £600,000. However, the Cabinet Office contested the fine and the ICO subsequently reduced it to £500,000.

Despite the reduction, this is still a heavy fine. Among other things, the ICO based its decision on the following factors: 

• Although the file wasn’t online for very long, the publication of the list was a high-profile event and the list was accessed nearly 4,000 times. 
• Although the information constituted basic identifying information and not sensitive data, it concerned a large number of individuals, including high-profile individuals. 
• While documents regarding best practice for handling data had been accessible to employees on the Cabinet Office’s intranet, these were not regularly updated or promoted. 
• While the Cabinet Office had implemented mandatory data protection training before the incident, not all employees who were involved in the processing of personal data had received training in the past two years.
• The Cabinet Office had also identified that there were issues with access restrictions often being imposed “too late,” resulting in some personal data being accessible to entire teams.
• The data breach could easily have been avoided, but the Cabinet Office had failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. 

Key takeaways for production

This decision has a number of key takeaways for production companies and their teams: 

• As the ICO is continuing to crack down on organisations which don’t have sufficient safeguards in place to protect people’s data, it’s essential to have adequate security measures in place. (Not sure where to start? See how the Production Portal can help you to protect your data.)
• Personal information pertaining to high-profile individuals poses a particular risk. This includes basic contact information, such as addresses and phone numbers (swapping paper documents (eg, start forms, contracts and call lists) for digital versions can help to mitigate this risk).
• It’s important to have appropriate data protection policies in place and a means to update and promote these through ongoing trainings. It’s also important to have a clear audit trail of who’s read and agreed to your policies.
• Access to personal data should be restricted to those who need it and updated as soon as crew change roles.

For more information on how to secure your production data, check out our guide to information security.