ICO reduces Cabinet Office monetary penalty over New Year Honours data breach by £450k

November 7, 2022

A monetary penalty of £500,000 issued to the Cabinet Office after it disclosed the addresses of the 2020 New Year Honours recipients has been reduced by the Information Commissioner's Office to £50,000 in recognition of "the current economic pressures public bodies are facing".

The ICO imposed the monetary penalty late last year after an investigation found the Government had failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people's information, breaching data protection law.

The failings saw the unredacted addresses of more than 1,000 people announced in the New Year Honours list posted to the Government's website for over two hours before being taken down.

In December 2021, the Cabinet Office issued a response noting that it took the findings of the Information Commissioner "very seriously".

It also said that it completed an internal review and implemented measures to ensure such a breach does not happen again.

However, the Cabinet Office went on to appeal the amount of the monetary penalty to the First-tier Tribunal (General Regulatory Chamber), alleging the level of penalty was "wholly disproportionate". It did not dispute the facts leading up to the data breach.

The parties agreed on the £450,000 reduction at Tribunal.

Commenting on the agreement, John Edwards, the UK Information Commissioner, said he considered the original monetary penalty to be proportionate in all the circumstances of this case but acknowledged the current economic stresses public bodies face.

According to Mr Edwards, the amended penalty reflects the ICO's new approach adopted this year which aims to impose monetary penalties on public bodies sparingly over data protection breaches.

"As I have explained, in certain circumstances large fines on their own may not be as effective a deterrent within the public sector", he added.

"I am willing to use my discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice."

This week, the ICO found the Department for Education to have presided over a data breach which would have warranted a £10m monetary penalty under the ICO's old approach, but the DfE has been handed a reprimand instead.

Adam Carey