The ICO has issued a clear reminder today of the importance of putting in place appropriate technical and organisational measures to prevent the unauthorised disclosure of people’s information. The ICO has issued a fine of £500,000 to the Cabinet Office following an incident in December 2019 when the Cabinet Office published a file on a gov.uk website containing the names and addresses of more than 1,000 people announced in the New Years Honours list.
The ICO noted that while the information disclosed was not special category data, the list of individuals included a number of high profile individuals whose addresses were not previously publicly known. However, the key factor emphasised by the ICO that warranted the high monetary fine was the fact that the breach was caused by the negligence of the Cabinet Office for failing to implement appropriate technical and organisational measures. The ICO found that the Cabinet Office had the opportunity on at least two occasion prior to the data breach to implement measures to mitigate the risk of a potential data breach and it did not. By way of example, the ICO found that the Cabinet Office didn't take reasonable measures to fix an IT report functionality error when the error was first identified and failed to make all staff with access to the IT report function aware of the requirement to remove postal address data before processing the generated reports after the error was identified.
While it is true that the facts and context of a data breach may increase the severity and therefore potential amount of a monetary fine, it is ultimately whether the company has appropriate technical and organisational measures in place to prevent the data breach that will be considered by the ICO when issuing a data protection fine. The mere fact that a data breach occurred is rarely (other than in serious cases) sufficient to warrant a fine from the ICO. If your organisation can demonstrate it has steps in place, such as technical security, staff training and sign-off procedures, to mitigate the risk of a data breach then the fact a data breach occurs will not in and of itself constitute a breach of data protection law.
A key take away from this enforcement action by the ICO is for businesses to take a moment and consider where the business may be vulnerable to a data breach and, if it hasn't already done so, take appropriate measures to mitigate the vulnerability.
The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.