Government facing compensation claims following £500,000 fine for 2020 New Year Honours list data breach

The Government was today fined £500,000 by the Information Commissioner’s Office (ICO), the UK’s data watchdog, for disclosing the postal addresses of more than a thousand New Year Honours List recipients on 27 December 2019 on the gov.uk website. 

The information was available online for 2 hours 21 minutes and was accessed 3,872 times from 2,798 different IP addresses. 
 
Prominent public figures who had their home addresses published, included Elton John, the cricketer Ben Stokes, NHS England’s then chief executive, Simon Stevens, the TV chef Nadiya Hussain and the former director of public prosecutions Alison Saunders. The inadvertently published list also included more than a dozen MoD employees and senior counter-terrorism officers.  The Cabinet Office has stated that 207 individuals had postal addresses that were not obviously in the public domain prior to the data breach.
 
The ICO found contraventions of the General Data Protection Regulation (GDPR) by the Cabinet Office for failing to process personal data in a manner that ensured appropriate security of personal data and failing to have appropriate organisational and technical measures in place.  In its report, the ICO confirmed that there was evidence that the data breach had caused distress to some of those affected and that it had received three complaints from affected data subjects raising personal safety concerns resulting from the breach and that the Cabinet Office had also been contacted by 30 affected individuals, 27 of whom raised concerns about the possible impact on their personal safety.  The ICO report also referred to a badly redacted screenshot of the data being posted on Twitter for a short period afterwards.  The report also referred to the Cabinet Office acknowledging that the data breach gave rise to a possible increase in vulnerability of those affected to identity fraud.
 
Overall, the ICO stated that the data breach was serious and could easily have been avoided and therefore described the gravity of the failure as being very high.
 
Sean Humber, a data breach specialist at law firm Leigh Day instructed by an affected individual, stated:

“The ICO rightly considered this data breach to be serious because it affected the privacy and security of a significant number of people on the list, including senior police officers, Defence officials, politicians and celebrities.
 
“Those individuals on the list whose home addresses were not previously in the public domain, but were then wrongly disclosed as a result of the data breach, are likely to have significant claims for compensation for the unauthorised disclosure of their personal information, including for any anxiety and distress suffered, as well the costs of any reasonable action they took as a result of the blunder.”
 
If you have been affected by the data breach and wish to receive more information in confidence and without obligation about bringing a claim for compensation on a “no win, no fee basis” then please contact Sean Humber on shumber@leighday.co.uk or 020 7650 1200