ICO (UK) - Cabinet Office: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 54: Line 54:
}}
}}


The Infomation Commissioner's Office (UK DPA) imposed a fine of approximately €585,739 on the Cabinet Office for a data breach in violation of Articles 5(1)(f) and 32(1) GDPR. The New Years 2020 Honours List was published including postal addresses for the recipients of the Honours.
The UK DPA (ICO) imposed a fine of approximately €585,739 (GBP 500,000) on the Cabinet Office for a data breach in violation of Articles 5(1)(f) and 32(1) GDPR. The New Years 2020 Honours List was published including postal addresses for the recipients of the Honours.


== English Summary ==
== English Summary ==
Line 70: Line 70:


=== Holding ===
=== Holding ===
The United Kingdom Data Protection Authority (Information Commissioner’s Office; ICO) held that the Cabinet Office had contravened Article 5(1)(f) of the General Data Protection Regulation (GDPR) when erroneously publishing the CSV file containing the data subjects’ postal addresses.  
The United Kingdom Data Protection Authority (ICO) held that the Cabinet Office had contravened Article 5(1)(f) of the General Data Protection Regulation (GDPR) when erroneously publishing the CSV file containing the data subjects’ postal addresses.  


The ICO also considered that the Cabinet Office had infringed [[Article 32 GDPR#1|Article 32(1) GDPR]] as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security.
The ICO also considered that the Cabinet Office had infringed [[Article 32 GDPR#1|Article 32(1) GDPR]] as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security.
Line 77: Line 77:


The ICO considered that a monetary penalty was appropriate given:   
The ICO considered that a monetary penalty was appropriate given:   
- the number of individuals affected;
 
- the damage or harm (eg distress and/or embarrassment); and  
* the number of individuals affected;
- failure to apply reasonable technical and organisational measures to mitigate any breach.
* the damage or harm (eg distress and/or embarrassment); and  
It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects)
* failure to apply reasonable technical and organisational measures to mitigate any breach
 
It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects)  


The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication.  
The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication.  


The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included:µ
The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included:  
- removing the CSV file completely after 2.5 hours;
 
- 2.5 hours was a short time frame for accessibility; and
* removing the CSV file completely after 2.5 hours;  
- most access occurred prior to the CSV file being completely deleted (when just the link was removed). This indicated that the first steps taken by the Cabinet Office were generally successful, even if the CSV file was still technically accessible in other ways.
 
* 2.5 hours was a short time frame for accessibility; and  
* most access occurred prior to the CSV file being completely deleted (when just the link was removed). This indicated that the first steps taken by the Cabinet Office were generally successful, even if the CSV file was still technically accessible in other ways.  
 
The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed.  
The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed.  



Latest revision as of 10:48, 7 December 2021

ICO (UK) - Cabinet Office
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 33(1) GDPR
Paragraph 15(1), Part 2, Schedule 2 Data Protection Act 2018
Type: Investigation
Outcome: Violation Found
Started:
Decided: 15.11.2021
Published: 02.12.2021
Fine: 500000 GBP
Parties: Cabinet Office
National Case Number/Name: Cabinet Office
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: MH

The UK DPA (ICO) imposed a fine of approximately €585,739 (GBP 500,000) on the Cabinet Office for a data breach in violation of Articles 5(1)(f) and 32(1) GDPR. The New Years 2020 Honours List was published including postal addresses for the recipients of the Honours.

English Summary

Facts

On 27 December 2019, the UK Cabinet Office (department of the Government of the United Kingdom) published the content page of the New Years 2020 Honours List on its website. The content page contained a link to a CSV file version of the Honours list that was not adequately edited to remove personal data. The CSV file contained the postal address of Honours recipients in a column that had been “hidden” rather than completely “deleted” from the CSV file. Despite the various steps taken before publishing the CSV file, no one within the Cabinet Office teams working on the Honours List noticed that the column was only “hidden”. The column was still there and became apparent again once the CSV file was made available online on gov.uk.

The Cabinet Office was alerted of the data breach by a member of the Government Communications Team. The Cabinet Office then republished the content page without the link to the CSV file. However, anyone who had the exact URL to the CSV file already could still access it despite this change. This is because documents cannot be removed from the gov.uk website once they have been published.

The issue was escalated and eventually the CSV file was permanently deleted around 2 hours and 30 minutes after it was first made available. It was found that the CSV file was accessed 3872 times from 2798 IP addresses.

The Cabinet Office alerted affected data subjects within 48 hours of the data breach and submitted a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the breach.

The Cabinet Office confirmed there was no written process in place to approve documents containing personal data prior to being published to ensure the content was suitably redacted. Additionally, the Cabinet Office’s page for best practice on data handling had not been updated for six months despite the implementation of a new software used to produce the Honours List (which contained a column for addresses). There were various other security concerns identified in an independent review commissioned by the Cabinet Office (accessibility of data to team members that do not need to have access; lack of testing of software to ensure they are robust enough; lack of monitoring of training for staff).

Holding

The United Kingdom Data Protection Authority (ICO) held that the Cabinet Office had contravened Article 5(1)(f) of the General Data Protection Regulation (GDPR) when erroneously publishing the CSV file containing the data subjects’ postal addresses.

The ICO also considered that the Cabinet Office had infringed Article 32(1) GDPR as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security.

The ICO investigated the Exemption within Paragraph 15(1) of Part 2 of Schedule 2 of the Data Protection Act 2018, which excludes the application of various rights and obligations to personal data processed for the purposes of conferring an honour or dignity (given by the Government under the name “the Crown”). Article 5 is listed as a provision that the data controller would not have to comply if the exemption applied. However, the ICO deemed that this did not apply as the contravention of Article 5(1)(f) as the erroneous publication of addresses was a result of a data security incident (rather than rights and obligations).

The ICO considered that a monetary penalty was appropriate given:

  • the number of individuals affected;
  • the damage or harm (eg distress and/or embarrassment); and
  • failure to apply reasonable technical and organisational measures to mitigate any breach

It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects)

The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication.

The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included:

  • removing the CSV file completely after 2.5 hours;
  • 2.5 hours was a short time frame for accessibility; and
  • most access occurred prior to the CSV file being completely deleted (when just the link was removed). This indicated that the first steps taken by the Cabinet Office were generally successful, even if the CSV file was still technically accessible in other ways.

The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed.

The ICO also highlighted the steps taken by the Cabinet Office to reduce the likelihood of similar events occurring in the future. For example, reviewing technical processes, issuing guidance on removing personal data, providing training sessions to staff members, engaging in an independent review of data handling policies, processes, practice and culture.

Additionally, the ICO found that the data breach stemmed from a build error of the new software used to produce the Honours List. This generated the list to include postal address data in error. Accordingly, the Cabinet Office was responsible for the breach as the Digital and Technology team built the system. Lack of training and guidance available for staff members, including those in the Digital team, was also an important factor.

The ICO therefore imposed a fine of approximately €585,739 on the Cabinet Office as an effective, proportionate and dissuasive penalty.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                           ICO.
                                                           Information Commissioner's Office
                     DATA PROTECTION ACT 2018


   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER


                    MONETARY PENALTY NOTICE



To:   Cabinet Office


Of:   70 Whitehall, London, SW1A 2AS


1.    The Information Commissioner ("the Commissioner") has decided to

      issue the Cabinet Office with a penalty notice pursuant to section 155
      of the Data Protection Act 2018 ("DPA"). This penalty notice imposes

      an administrative fine on the Cabinet Office, in accordance with the

      Commissioner's powers under Article 83 of the GDPR. The amount of
      the penalty is £500,000 (five hundred thousand pounds).



2.    The penalty is being issued because of contraventions by the Cabinet
      Office of Articles 5(1)(f) and 32(1) of the GDPR in that, on 27-28

      December 2019, the Cabinet Office in error published on GOV.UK a CSV

      file which included full correspondence (postal) addresses of-data
      subjects (all of whom were 2020 New Year Honours recipients),

      resulting in a disclosure of personal data. This was a breach of Article
      5(1)(f) of the GDPR as the Cabinet Office did not process personal data

      in a manner that ensured appropriate security of the personal data.

       Further, at the time of and in the run up to the aforementioned breach,
      the Cabinet Office did not have in place appropriate technical and

      organisational measures to ensure a level of security appropriate to the

      risk associated with the processing of data for the purpose of the 2020
       New Year Honours List in breach of Article 32(1) of the GDPR.



                                   I                                                               ICO.
                                                               Information Commissioner's Office
3.     This penalty notice explains the Commissioner's reasons for imposing

       such a penalty, and for the amount of the penalty. Prior to issuing this
       penalty notice, the Commissioner carefully considered the Cabinet

       Office's Response to Notice of Intent dated 16 September 2021.


Legal Framework


4.     The Cabinet Office is a data controller for the purposes of the GDPR and

       DPA 2018 because it determines the purposes and means of the
       processing of the personal data associated with this incident (Article

       4(7) of the GDPR).


5.     "Personal data" is defined by Article 4(1) of the GDPR to mean:



            "any information relating to an identified or identifiable natural
           person ('data subject'); an identifiable natural person is one who

           can be identified, directly or indirectly, in particular by reference

           to an identifier such as a name, an identification number, location
           data, an online identifier or to one or more factors specific to the

           physical, physiological, genetic, mental, economic, cultural or

           social identity of that natural person"


6.     "Processing" is defined by Article 4(2) of the GDPR to mean:


            "any operation or set of operations which is performed on personal

           data or on sets of personal data, whether or not by automated

           means, such as collection, recording, organisation, structuring,
           storage, adaptation or alteration, retrieval, consultation, use,

           disclosure by transmission, dissemination or otherwise making

           available, alignment or combination,    restriction,erasure or
           destruction"


                                     2                                                               ICO.
                                                               Information Commissioner's Office


7.     Data controllers are subject to various obligations in relation to the
       processing of personal data as set out in the GDPR and DPA 2018. They

       are obliged by Article 5(2) of the GDPR to adhere to the data processing

       principle set out in Article 5(1).


8.     Article 5(1)(f) of the GDPR provides that personal data shall be:


            "processed in a manner that ensures appropriate security of the

            personal data,  including protection against unauthorised or

            unlawful processing and against accidental loss, destruction or
            damage, using appropriate technical or organisational measures

            ('integrity and confidentiality')".


9.     Article 32 of the GDPR provides:

            "(1) Taking into account the state of the art, the costs of

            implementation and the nature, scope, context and purposes of

            processing as well as the risk of varying likelihood and severity for
            the rights and freedoms of natural persons, the controller and the

           processor    shall   implement    appropriate    technical   and

            organisational measures to ensure a level of security appropriate
            to the risk, including inter alia as appropriate:

            (a) the pseudonymisation and encryption of personal data;

            (b) the ability to ensure the ongoing confidentiality, integrity,
            availability and resilience of processing systems and services;

            (c) the ability to restore the availability and access to personal

            data in a timely manner in the event of a physical or technical
            incident;






                                     3                                                               ICO.
                                                               Information Commissioner's Office
           (d) a process for regularly testing, assessing and evaluating the

           effectiveness  of technical  and  organisational  measures   for
           ensuring the security of the processing.



           (2) In assessing the appropriate level of security account shall be
           taken in particular of the risks that are presented by processing,

           in particular from accidental or unlawful destruction,     loss,

           alteration, unauthorised disclosure of, or access to personal data
           transmitted, stored or otherwise processed."



10.    The Commissioner is the supervisory authority for the United Kingdom
       as provided for by Article 51 of the GDPR.



11.    By Article 57(1) of the GDPR, it is the Commissioner's task to monitor
       and enforce the application of the GDPR.



12.    By Article 58(1)(d) of the GDPR, the Commissioner has the power
       to notify controllers of alleged infringements of the GDPR. By Article

       58(2)(i), the Commissioner has the power to impose an administrative

       fine in accordance with Article 83 in addition to or instead of the other
       corrective measures referred to in Article 58(2), depending on the

       circumstance of each individual case.

13.    By Article 83(1), the Commissioner is required to ensure that

       administrative fines issued in accordance with Article 83 are effective,
       proportionate and dissuasive in each individual case.



14.    Article 83(2) goes on to set out a number of factors to which the
       Commissioner should have regard when deciding whether to impose an

       administrative fine and deciding on the amount of the administrative

       fine in each individual case.


                                     4                                                                 ICO.
                                                                 Information Commissioner's Office


15.    The DPA 2018 contains enforcement provisions in part 6 which are

       exercisable by the Commissioner. Section 155 DPA 2018 provides in
       relevant part:



            "(1) If the Commissioner is satisfied that a person-

            (a) has failed or is failing as described in section 149(2), (3), (4)

               or (5),...
            the Commissioner may, by written notice, require the person to

            pay to the Commissioner an amount in sterling specified in the
            notice.

            (2) Subject to subsection (4), when deciding whether to give a

            penalty notice to a person and determining the amount of the
            penalty, the Commissioner must have regard to the following, so

            far as relevant-


                  (a)  to the extent that the notice concerns a matter to which

                  the UK GDPR applies, the matters listed in Article 83(1) and
                  (2) of the UK GDPR


              ,,



16.     Section 149(2) DPA 2018 provides in relevant part:

            "The first type of failure is where a controller or processor has

            failed, or is failing, to comply with any of the following:
                  (a)e provision of Chapter II of the UK GDPR or Chapter 2 of

                     Part 3 or Chapter 2 of Part 4 of this Act (principles of
                     processing)

              ,,



                                      5                                                           ICO.
                                                           Information Commissioner's Office
Background Facts


Overview


17.   On Friday 27 December 2019 at 22:e 0 the Cabinet Office published the

      content page for the New Year 2020 Honours List on GOV.e K. This was

      completed via a scheduled automatic publication set up by the Cabinet
      Office Publishing Team.



18.   The content page as published contained a link to a comma-separated
      values ("CSV") file version of the Honours list, which in error included

      the correspondence (postal) addresses of Honours recipients. This
      resulted in an unauthorised disclosure affecting - data subjects






19.   The Cabinet Office Press Office was alerted to the data breach by a

      member of the Government Communications Team who had "identified
      the data breach by chance". After becoming aware of the breach, at

      22: 59 on 27 December 2019 the Cabinet Office Publishing Team

      republished the content page removing the link to the CSV file.
      However, as files uploaded onto GOV.e K are automatically cached on a

      content delivery network, the file continued to be accessible online to
      people who had the exact webpage URL.



20.   The Cabinet Office contacted the Government Digital Service (GDS) at
      23: 34 for GDS to assist with removing the CSV file, as although the

      Cabinet Office can edit pages and remove links, they cannot remove

      documents from the GOV.e K website once they have been published.


      -the issue was escalated within GDS and support was obtained

                                  6                                                             ICO.
                                                             Information Commissioner's Office

       from a developer. This resulted in the CSV file being permanently
       deleted at 00: 51 on 28 December 2019.


21.   Therefore, in total, the CSV file containing the postal address data was

       accessible from 22: 30 on 27 December 2019 to 00: 51 on 28 December

       2019 - a period of two hours and 21 minutes. During that time the CSV
       file was accessed 3,872 times from 2,798 IP addresses.



22.    Although the file was accessible via the cache until 00: 51, the Cabinet
       Office Publishing Team republished the content page at 22: 59 which

       removed the link to the file. The Cabinet Office's logs show most of the
       access to the file (72%) occurred in the initial period before the link

       was removed and access declined over time.


23.    Affected data subjects were contacted within 48 hours of the data

       breach via email or telephone (if data subjects did not have an email
       address, the email had bounced back, or if there was an out-of-office

       message) where possible on 28 and 29 December 2019. Approximately

       11 data subjects were not contactable via either telephone or email and
       needed a hard copy letter to be posted to them. Following this, a hard

       copy letter was posted to all affected data subjects on 30 December
       2019.



24.   The Cabinet Office submitted a Personal Data Breach Report to the ICO
       within 72 hours of becoming aware of the data breach in accordance

       with Article 33(1) of the GDPR.









                                    7                                                             ICO.
                                                             Information Commissioner's Office
Circumstances surrounding the data breach


25.   The Honours and Appointments Secretariat ("HAS") in the Cabinet

       Office coordinates the Honours system and processes all public

       nominations.


26.    A new IT system               was introduced within HAS in 2019.

                 was built between January and June 2019 and was in use
       from July 2019. The 2020 Honours round was the first to use the new

                 system.


27.   The report              which generated the CSV file was incorrectly

       formulated to include postal address data which it should not have done

       and was not an element requested in the original build requirements.
      The Cabinet Office's Digital and Technology Team was responsible for

      building the system.


28.    Although testing took place on the          report by the Cabinet

       Office's Digital and Technology Team and the HAS Operations Team,

       the postal address column went unnoticed during the testing process
       which the Cabinet Office has said they believe was due to the large

       number of fields in the spreadsheet and the focus on ensuring the list

       of successful Honours recipients was accurate.


29.    A 'desk note' of instructions had been produced to articulate the
       process for running the           reports which produce the final

       Honours lists. These instructions were available to employees via

       Google Drive. However, these instructions reflected the
       report as it should have been set up and did not include a check to

       ensure personal data that should not have been included therein was

       removed.

                                    8                                                              ICO.
                                                              Information Commissioner's Office


30.    On 19 December 2019, the error with the           report incorrectly
       including postal address data was identified by the HAS Operations

       Team.   However,   due   to  short  timescales  between   finalising

       amendments to the list and the deadline for giving the lists to the Press
       Office for publication "the decision was taken to amend the output as

       opposed to the report build itself".


31.    On 23 December 2019 following certain changes to the Honours list, a

       second report was run to generate the CSV file for publication. This was

       completed by an employee not usually responsible for the process. This
       employee "was aware that postal address information should not be in

       the report and altered it to hide the information". Due to this, the CSV

       file incorrectly included postal address data which had been hidden but
       was still contained in the document as it had not been deleted. The

       Cabinet Office has subsequently stated "we acknowledge that the

       information should have been deleted". This version of the CSV file was
       sent to the Press Office on the same date.



32.    On 24 December 2019 a                     opened and reviewed the
       documents sent to the Press Office on 23 December 2019 and identified

       formatting errors which needed correcting. The
       emailed the HAS Operations team on 24 December 2019 to highlight

       the formatting errors. The Cabinet Office said inclusion of the postal

       address data was not identified by the                as it was not
       visible. In relation to this event, the Cabinet Office said, "In retrospect,

       this incident should have then automatically triggered a formal review

       point to check that the final version was correctly amended."






                                    9                                                             ICO.
                                                             Information Commissioner's Office
33.    On 24 December 2019 a third and final report was run

       to make the corrections requested by the              . This report
       again generated a CSV file incorrectly including postal address data.



34.    As the postal address data was hidden, the employee sending the
       document to the Press Office on 24 December 2019 thought the postal

       address data had been removed when "in reality it was still there and

      became visible when the document was uploaded to gov.uk". When
       asked if it was the same employee who hid the data as who sent the

       document to the Press Office, the Cabinet Office confirmed two people

       were involved in the process.


35.   The Cabinet Office's internal investigation report said the email sent to

      the Press Office on 24 December 2019 "was copied to the -
      - and a small number of HAS members, but did not include the

       relevant Director or senior press office staff". The Cabinet Office

       confirmed that the               copied into the email was the same
       person who identified the formatting errors with the version produced

       on 23 December 2019. However, the                   was on annual

       leave on 24 December 2019 when the final version was sent to the
       Press Office.


36.   The Press Office received the final version of the CSV file on 24

       December 2019, which incorrectly included the postal address data. It
       is understood the covering email "indicated that the previous issue had

       been resolved". The final CSV file was not opened by the Press Office

      before they completed a web publication form and sent this and the
       documents they had received to the Digital Team for publication on the

       same date, as they relied upon reassurance from the HAS in the

       covering email that the document was the final version. The Cabinet



                                    10                                                              ICO.
                                                              Information Commissioner's Office
       Office stated that "the press office and digital teams were not
       responsible for reviewing the data for sensitivities of this type".


37.    On 27 December 2019 the Press Office checked with the HAS that there

       had been no further changes and were told by the               that
       this was correct. Therefore they "assumed that the document was still

       the final version to publish".


38.    On 27 December 2019, the work to prepare the publication was
       completed by the Digital Team. At this point the Digital Team checked

       with the Press Office that there had been no changes to the documents.

       Checks for formatting, accessibility standards and correct functionality
       were completed by the Digital Team as per the standard process.

       However, these did not include any assessment of the substance, "as

       the team is not best placed to make any judgements" on the content
       and "it is clear that the documents need to be final signed-off versions".

       The documents were subsequently included in the content page for

       automatic publication.


39.    The Cabinet Office has stated that "it has always been standard practice
       for the [HAS] Team to undertake a final review of the list documents

       before publication to ensure, for example, that there is no sensitive

       data present and that the information is presented in the correct
       format. This review is not intended to require or result in extensive

       amendments, as that would indicate that the underlying data had been

       incorrectly entered in the database or that the report had been set up
       wrongly". However, the Cabinet Office confirmed there was no specific

       or written process in place in the HAS to sign-off or approve documents

       containing personal data prior to being sent for release to ensure the
       content was suitable for publication.




                                    11                                                             ICO.
                                                             Information Commissioner's Office
40.    The Cabinet Office's internal  investigation report included three

       recommendations    for   improvement    following   the   incident,
       demonstrating certain measures were not present at the time the data

       breach occurred:


           a. Recommendation 1: That the Honours IT system is updated and

              re-tested to ensure that a publication-ready document is

              produced when the report is run, which does not include
              address or other sensitive data. The Desk Instructions should

              be amended to ensure the report is always checked so that it

              only ever includes data that can be published.


           b. Recommendation 2: Ensure clear line of accountability for sign

              off for documents that will be published and that there are clear
              instructions in the email, which give sufficient detail so others

              can check.


           c. Recommendation 3: Press Office and Digital Communications

              ensure that the process for removing documents published in

              error is clearly understood, including for out of hours.


41.    An independent review led by Adrian Joseph and commissioned by the

       Cabinet Office reviewed wider data handling processes/practices within
       the Cabinet Office. That review includes the following observations:

            "Breaches, such as the one that impacted New Year's Honours

           recipients in December 2019, are too easily assigned to human

           error where a greater consistency of process, controls and culture
           across Cabinet Office could have reduced the risk systemically.

           There is a significant risk that further and more impactful breaches




                                   12                                                              ICO.
                                                              Information Commissioner's Office
           will occur as the amount of personal data being handled by the

           Department increases.


           The Cabinet Office identified two main factors that had contributed

           to the breach: the introduction of a new IT software package,
           which had included an additional field with individuals' addresses;

           and a lack of clarity about sign-off processes for the final versions

           of the documents that went online, and in the context of the new

           IT system."


42.    The review also highlighted the following concerns relevant to the

       incident:


           a. Whilst different documents exist on the Cabinet Office's intranet

              page   regarding  best  practice on   data  handling, these
              documents are not regularly updated or promoted throughout

              the Department; "The GDPR Hub, for example, has not been

              updated since May 2019".
           b. There appear to be issues with access restrictions which are

              "often imposed too late and there are examples of personal

              data being accessible to whole teams".

           c. Cabinet Office structures regularly change with new business
              units often being stood up to deliver on urgent political

              priorities. "The pace required to deliver on these priorities was

              cited by some business units and stakeholders as potentially
              compromising the disciplines of good personal data handling".

           d. Some teams have built additional checks into their processes,

              including  validating  data   being   transferred   between
              Government Departments, "however, in some instances it

              would be possible to eliminate human error altogether by fixing

              failings in IT systems. For example, in one software system it

                                    13                                                            ICO.
                                                            Information Commissioner's Office
              is possible to accidentally send personal information about one
              individual to another, unconnected, individual whose details are

              also held in the same system".

           e. "Interviewees raised a number of concerns around the
              procurement of new software to run their data handling

              processes. Some said that financial considerations meant that

              off-the-shelf solutions were chosen to run processes that, given
              their complexity, warranted bespoke solutions".

           f. "Another concern raised by a number of teams was that

              software had not undergone sufficiently robust or extensive
              testing in advance of being rolled out. The reasons cited

              included lack of both staff and money, lack of expertise within
              the commissioning teams, and projects being rolled out too

              quickly in order to meet Ministerial commitments. In all

              instances considered by the Review these risks had been signed
              off by senior managers or Ministers".

           g. "...training is not monitored across the organisation. One team

              interviewed for the Review had set up their own training log,
              but most did not actively monitor which members of their teams

              had completed the training".

Apology

43.   On 7 January 2020, the Minister for the Cabinet Office made a

      statement to Parliament by which the Cabinet Office gave a public

      apology in relation to the incident.


Notice of Intent




44.   On 4 August 2021, in accordance with section 155(5) and paragraphs

      2 and 3 of Schedule 16 DPA 2018, the Commissioner issued the Cabinet

                                   14                                                             ICO.
                                                             Information Commissioner's Office
      Office with a Notice of Intent to impose a penalty under section 155

      DPA 2018. The Notice of Intent described the circumstances and the
      nature of the personal data in question, explained the Commissioner's

      reasons for the proposed penalty of £600,000, including what she

      regarded as the aggravating and mitigating factors, and invited written
      representations from the Cabinet Office.



45.   On   16  September   2021,  the  Cabinet  Office  provided written
      representations in response to Notice of Intent. The key representations

      made by the Cabinet Office were:


           a. the level of the fine is disproportionate to the scale of the breach
              (particularly taking into account that of the addresses revealed

              the majority  were already readily accessible in the public

              domain);


           b. the proposed penalty does not take into account the extensive

              immediate and long-term action taken by the Cabinet Office to
              mitigate the consequences of the breach and was not

              determined in accordance with the statutory guidance reflected

              in the Commissioner's Regulatory Action Policy;

           c. the proposed penalty does not adequately reflect the statement

              made to Parliament by the Minister for the Cabinet Office on 7

              January 2020 and the apology contained within that statement
              and this statement does not appear to have been taken into

              account adequately when the Notice of Intent was formulated;

              and


           d. The breaches do not warrant an administrative penalty and that

              another sanction such as that set out Article 58(2)(b) GDPR
              would be more appropriate.

                                   15                                                     ICO.
                                                     Information Commissioner's Office

46.   The Cabinet Office's representations have been considered in full. Having

      taken these representations and all other factors into account, the

      Commissioner has decided to issue a monetary penalty in the sum of
      £500,000.


 Breaches of GDPR



 Contravention of Article 5(1)(f) of the GDPR


 47.  Article 5(1)(f) of the GDPR has been contravened as the Cabinet Office,

      the controller, published the CSV file on GOV.e K which included full
      correspondence (postal) addresses of  data subjects in error,

      resulting in a disclosure of personal data.


 48.  By Article 5(2) it is the controller who is responsible for and must be

      able to demonstrate compliance with Article 5(1).



 Contravention of Article 32 of the GDPR


 49.  Article 32(1) of the GDPR has been contravened as the Cabinet Office,

      the controller, did not have in place appropriate technical and
      organisational measures to ensure a level of security appropriate to the

      risk associated with the processing of data for the purpose of the 2020

      New Year Honours List.


 Exemptions



 50.  Paragraph 15 (1) of Part 2 of Schedule 2 to the DPA 2018 provides:



                               16                                                               ICO.
                                                               Information Commissioner's Office
            "The listed GDPR provisions do not apply to personal data
           processed for the purposes of the conferring by the Crown of any

           honour or dignity."


51.    Paragraph 6 of Part 2 of Schedule 2 to the DPA 2018 provides (emphasis
       added):



           "In this Part of this Schedule, "the listed GDPR provisions" means
           the following provisions of the GDPR (the rights and obligations in

           which may be restricted by virtue of Article 23(1) of the GDPR)-


           (a) Article 13(1) to (3) (personal data collected from data subject:
           information to be provided);

           (b) Article 14(1) to (4) (personal data collected other than from

           data subject: information to be provided);
           (c) Article 15(1) to (3) (confirmation of processing, access to data

           and safeguards for third country transfers);
           (d) Article 16 (right to rectification);

           (e) Article 17(1) and (2) (right to erasure);

           (f) Article 18(1) (restriction of processing);
           (g) Article 19 (notification obligation regarding rectification or

           erasure of personal data or restriction of processing);

           (h) Article 20(1) and (2) (right to data portability);
           (i) Article 21(1) (objections to processing);

           (j) Article S (general princip  les) so far as its provisi ns

           correspond to the rights and obligations provided for in the
           provisions mentioned in sub-paragraphs (a) to (i).e


52.    The contravention of Article 5(1)(f) of the GDPR in the present case

       arises from a data security incident not from the rights and obligations

       at paragraph 6(a)-(i) of Part 2 of Schedule 2 to the DPA 2018 - the
       exemption therefore does not apply.

                                    17                                                             ICO.
                                                             Information Commissioner's Office


The Regulatory Action Policy



53.    When deciding to impose a monetary penalty and when setting the

       amount of that penalty, the Commissioner had regard to and acted in

       accordance with the Regulatory Action Policy.


54.    In deciding to impose a monetary penalty, the Commissioner had

       regard to all of the factors set out on page 24 of the Regulatory Action
       Policy and assessed this case objectively on its own merits. In all the

       circumstances, a monetary penalty was considered appropriate given:


           a. the number of individuals affected;
           b. there was a degree of damage or harm (which may include

              distress and/or embarrassment); and

           c. there was a failure to apply reasonable measures to mitigate
              any breach (or the possibility of it).


55.    In setting the amount of the penalty, the Commissioner applied the five

       step approach set out in the Regulatory Action policy:

           a. At step 1, the Commissioner determined that there were no

              discernible financial gains identified or losses avoided in relation

              to the incident.
           b. At step 2, the Commissioner had regard to the scale and

              severity of the breach by taking into account the considerations

              identified in sl 55(2)-(4) DPA 2018.
           c. At step 3, the Commissioner determined that there were no

              additional aggravating factors.




                                    18                                                             ICO.
                                                             Information Commissioner's Office
           d. At step 4, the Commissioner determined that in view of the
              factors set out below, an amount should be added to the

              penalty otherwise payable in order to act as a deterrent.

           e. At step 5, the Commissioner determined that there were no
              other factors (including ability to pay) on which to reduce the

              amount of the monetary penalty.


Article 83(2) GDPR



56.    The Commissioner has considered the factors set out in Article 83(2)
       GDPR in deciding whether to impose a penalty and when deciding on

       the amount of the penalty as follows:


      Nature, gravity and duration of the infringement


57.    The data breach was a security incident whereby the confidentiality of

       personal data (postal addresses) was compromised by inclusion in the

       CSV file that was published in the public domain. The data breach was
       caused by or contributed to by the absence of appropriate technical and

       organisational measures to ensure a level of security appropriate to the

       risk associated with the processing of the data in breach of Article
       32(1).


58.   The CSV file which contained the postal address data was live and

       publicly accessible in the public domain via GOV.e K for two hours and

       21 minutes, - a relatively short duration. However, during the period
       in which the CSV file was accessible, where it could be either viewed in

       a web browser or downloaded, it was accessed 3,872 times from 2,798

       unique IP addresses. Further, the Cabinet Office was well aware that
       the New Year's Honours list is a high-profile event which attracts

       considerable interest such that publication of this data set would place

                                    19                                                 ICO.
                                                 Information Commissioner's Office

     the associated data in the public domain in a high demand arena, with
     accesses likely to take place quickly and on a relatively large scale.


59.  Although the data disclosed was basic personal identifiers and, in error,

     location data (i.e. postal addresses) as opposed to more sensitive data
     such as special category data or criminal conviction data, the personal

     data disclosed related to - data subjects across the United

     Kingdom who are from a broad range of professions and include various
     high profile peopThe personal data was published in the public

     domain and therefore accessible to anyone, as opposed to for example,
     being disclosed to other individuals who also had a high profile and

     therefore who would likely hold a shared interest in keeping the data

     secure.


60.  The Cabinet Office confirmed that 207 data subjects out of a total of
     -    affected had postal addresses that were not obviously in the

     public domain prior to the breach.























                            20                                                           ICO.
                                                           Information Commissioner's Office





















64.   The Cabinet Office has stated that it has been informed by policee
                    that there is no information to suggest an increased risk

      in relation to any persons as a result of the data breach.


65.   There is, however, evidence that the data breach has caused distress
      to some of the affected data subjects. The ICO has received three

      complaints from affected data subjects raising personal safety concerns

      resulting from the breach. The Cabinet Office has also been contacted
      by 30 affected data subjects with 27 of those contacts relating to

      concerns about the possible impact on the individual's personal safety,
      largely as a result of pre-existing considerations.


66.   The Cabinet Office also acknowledged in its initial breach report that

      the data breach gave rise to a possible increase in vulnerability to

      identity fraud, caused by the combination of names, postal addresses
      and, in a number of instances, the type of work they undertake being

      published.


                                  21                                                              ICO.
                                                              Information Commissioner's Office
67.    The Cabinet Office further stated that "To our knowledge, there has

       been a single instance, on 29 December, of a badly-redacted screenshot
       of the data being posted on Twitter. We asked Twitter to remove the

       tweet as a violation of their terms of service and this was carried out

       the same day"and "there is no evidence that the personal data involved
       in this incident has been inappropriately disseminated more widely, or

       indeed at all"


68.    In all the circumstances, the data breach was serious and could easily

       have been avoided. Further, the Cabinet Office had not implemented

       appropriate technical and organisational measures to ensure a level of
       security appropriate to the risk. The gravity of the failure was, then,

       very high.


      Intentional or negligent



69.    The infringements were negligent.


70.    The data breach had the potential to occur due to a build error with the

       newly introduced IT system             within the HAS. Specifically,
       the report             which generated the CSV file was incorrectly

       formulated to include postal addresses in error. The original build

       requirements did not include a postal address field. The erroneous
       inclusion of the postal address data was not identified when the report

       was tested by Cabinet Office staff.


71.    However, the error with the report functionality including the postal

       address data was identified by the HAS Operations Team on 19
       December 2019. This date is before the data breach occurred and

       presented the Cabinet Office with the opportunity to implement



                                    22                                                             ICO.
                                                             Information Commissioner's Office
       measures to sufficiently mitigate the risk and protect the data. The

       Cabinet Office did not do so.


72.    Upon identification of the error with the report functionality "the

       decision was taken to amend the output as opposed to the report build
       itself". This was because of the short timescales between finalising

       amendments to the list and the deadline for giving the lists to the Press

       Office. Due to this decision, any outputs generated from the report
       would therefore continue to include the postal address data in error

       which would have left the data open to the risk of inadvertent

       publication. This is demonstrated by the data breach later taking place.


73.   The ICO queried if all employees within the HAS were made aware of

       the requirement to remove the personal data (postal address data)
       before processing the generated reports once the error with the

                 report was identified by the HAS Operations Team. The

       Cabinet Office confirmed only 22 people have access to the
       system. Information about the report functionality was relevant to only

       five members of the HAS Operations Team. These five employees were

       verbally advised of the requirement to remove the postal address data.
       However, employees were not issued any guidance on how to remove

       the data. The Cabinet Office said as       "was a new system, and
       in effect a new process, the team were responsible for identifying

       solutions to the issues identified throughout the process"


74.    Employees relied on the desk note to produce the           reports

       which did not reflect the report as it was set up, and did not include a

       check to ensure personal data that should not have been included was
       removed.





                                   23                                                            ICO.
                                                            Information Commissioner's Office
75.   Additionally, there was no specific or written sign-off process in place
      in the HAS before sending documents containing personal data for

      release to ensure the content was suitable for publication, even after

      formatting errors were identified in the second version of the CSV file
      when it was delivered via email to the Press Office. In relation to the

      formatting errors with the second version of the CSV file, the Cabinet

      Office said, "In retrospect, this incident should have then automatically
      triggered a formal review point to check that the final version was

      correctly amended".


76.   The Cabinet Office had the opportunity on at least two occasions to

      implement measures to mitigate the risk and protect the data from a
      potential breach; firstly when the error with the report functionality

      including postal address data was identified by the HAS Operations

      Team on 19 December 2019, and secondly when the
       identified formatting errorswith the second version of the CSV file sent

      to the Press Office on 23 December 2019.


      Action taken by the data controller to mitigate the damage

     suffered by data subjects


77.   The Cabinet Office has undertaken a number of appropriate and

      effective remedial measures after becoming aware of the data breach
      as follows:



     To contain the incident


           a. Once the data breach was identified the Cabinet Office

              subsequently removed the link to the file on the content page
              and contacted GDS to remove the file from cache.



                                   24                                                       ICO.
                                                       Information Commissioner's Office

     b. The Cabinet Office's logs show the majority of access to the file
        occurred in the initial period before the link was removed at

        22: 59 and access declined over time until the file was
        permanently deleted. This demonstrates that the immediate

        attempts to remove access to the data likely contributed to

        reducing the level of access after this point.

      c. The file was accessible from 22: 30 on 27 December 2019 to

        00: 51 on 28 December 2019 (two hours and 21 minutes) which

        is a short duration. It is however noted that the quick
        identification of the incident was due to a member of the

        Government Communications Team identifying the data breach
        by chance.


To inform data subjects


      d. Affected data subjects were contacted within 48 hours of the
        data breach via email or telephone where possible on 28 and

        29 December 2019. Approximately 11 data subjects were not

        contactable via either method and needed a hard copy letter
        posted to them. Following this, a hard copy letter was posted

        to all affected data subjects on 30 December 2019.


      e. The HAS established a rota to answer recipient queries between

        08:e 0-20:e 0 for the two weeks following the data breach.


To attempt to mitigate potential and actual damage caused to the data

subjects


     f.




                             25                                                ICO.



























     g. After being informed, actions were undertaken by the Police -
                       to assess the risk to the affected data
       subjects in their area/region/locality. Where additional actions

       were required, this was taken forward by the relevant Police
       force - where appropriate. This included a reminder of

       security advice, data subjects being advised to contact 101
       (excluding those who had contacted the HAS with specific

       issues) and placing additional protective flags at data subjects
       addresses etc. National Police Coordination Centre circulated a
       guidance document to all Police forces which could be circulated

       to individual Honours recipients wanting additional advice.


To identify and prevent further dissemination of the personal data

                          26                                                ICO.
                                                Information Commissioner's Office


     h. GDS used analytics to ascertain the extent of access to the data

       and were commissioned by the Cabinet Office to provide advice
       on further digital tracking and possible mitigation actions.



     i.Cabinet Office staff monitored social media and arranged for a
       Twitter post which showed a screenshot of the data to be

       removed.


     j.




     k. Internet monitoring was carried out by Police colleagues


                        for the first week and a half following the

       breach. Simultaneously, the Government continues to carry out
       its own monitoring which the ICO were told on 29 January 2020

       will "remain for the foreseeable future". "This monitoring tracks
       instances of the data appearing online and seeks to identify

       obvious instances of the data being shared".


To reduce the likelihood of a similar event occurring in the future



     I.GDS undertook a full incident review, including a review of
       checks on the publisher tool and incident handling. This review

       looked at how the escalation process works, publisher training,
       and technical changes that could have mitigated impact. This

       resulted in the caching time frame being reduced from 24 hours

       to 30 minutes for attached documents.




                          27                                                  ICO.
                                                  Information Commissioner's Office
m. A number of actions have been undertaken in the Honours

   system specifically, this includes reviewing the overall security
   of the system and permission levels, an operational process

   review, the approvals process, reviewing the desk note of

   instructions, and creating a new report generated from their
   database   which  does   not  include  postal  information.

   Additionally,all employees   in  the  HAS   refreshed their

   Responsible for Information e-Learning after the breach.


n. Cabinet Office has confirmed "The report functionality in

   question has been amended to remove address data so that
   this does not arise in the future. Approvals processes for use

   from the (current) Birthday 2020 honours round will include a

   check to ensure that all documents for publication are checked
   for personal and sensitive data even when they should not

   contain it". The Cabinet Office have also provided a document

   with 16 action points where all except two have either had the
   work completed or they are currently in the process of doing

   so.


o. The Communications Team were taking action to ensure that

   anyone who has not recently undertaken training does so as
   soon as possible.



p. An independent review in the Cabinet Office led by Adrian
   Joseph OBE focusing on data handling policies, processes,

   practice and culture has been completed (dated March 2020)

   which includes recommendations for improvement.






                        28                                                             ICO.
                                                             Information Commissioner's Office
       Degree of responsibility


78.    The data breach stems from a build error with a newly introduced IT

       system within the HAS. Specifically, the report             which

       generated the CSV file was incorrectly formulated to include postal
       address data in error. The original build requirements did not include a

       postal address field.


79.    The Cabinet Office's Digital and Technology team were responsible for

       building the          system:


           a. The           system was implemented under the agile project

              development process, with development being completed in

              periods called 'sprints' in which specific elements of the system
              were built, tested and approved. Required system functionality

              and any changes needed are articulated in project development

              software called JIRA which provides the audit trail for
              development.



           b. In relation to JIRA, the Cabinet Office said "User stories are
              defined and put into sprints for development. Each story

              outlines the requirements with clearly defined acceptance
              criteria. Stories are developed in a testing environment, then

              moved into the 'Testing' column where an internal functional

              test is carried out against the acceptance criteria. Once it has
              passed this test it moves into 'Product Owner Sign Off' where a

              member of the business unit checks the story. When the story

              has passed these checkpoints it moves to 'Done' and is
              deployed to the production environment. If necessary a training

              session is carried out with the business unit to walk through the

              story".

                                   29                                                             ICO.
                                                             Information Commissioner's Office


           c. The period of the build between January and June 2019 was
              completed in two weeklong sprints and once the new IT system

              was in use from July 2019, the sprints became one month long.


           d. The agile sprints included the delivery of system training to

              employees which included training on specific issues and was

              completed on numerous occasions throughout the year.
              Members    of  the  Digital and   Technology   team   were

              simultaneously co-located within the Honours Operations team

              for two days each week for several months to assist with issues,
              and all employees involved in this data breach knew how to use

              and had received training on the report functionality.


           e. The            report functionality went through several tests

              and iterations before it reflected the correct candidates for the

              final Honours list. The report was tested by the both the Cabinet
              Office's Digital and Technology Team and the HAS Operations

              Team.


           f. Not all staff in the HAS have access to the        system,

              which is a measure to control access to the material it contains.

              Only 22 employees have access.


80.    Accordingly, there were measures in place regarding the initial building
       and testing of the          system/report. However, the error with

       the functionality of the        report including postal address data

       was not identified during this process.


81.    There were also other measures in place within the Cabinet Office/HAS

       including:

                                   30                                                              ICO.
                                                              Information Commissioner's Office


           a. The Cabinet Office had mandatory data protection training in
              place prior to the incident, which was primarily comprised of

              the   Civil Service  e-Learning   course   'Responsible  for

              Information'. This training had been completed by employees
              in the HAS. Each unit provides a six-monthly Information

              Assurance   return  which  confirms  that  employees   have

              completed training. The Cabinet Office said the training is part

              of induction to [the HAS] and a record is kept of completion.


           b. There is a data hub on the Cabinet Office's intranet with

              guidance concerning all elements of the GDPR; information
              assurance (managing of information risks) including relating to

              the collection and sharing of personal data; the mandatory

              training; templates for data processing and privacy notices; and
              applied examples of best practice. The Cabinet Office said

              information is drawn to employees' attention via mechanisms

              such as a short cut to the hub on the intranet front page and
              staff communications.   There   are  also  additional, non­

              mandatory, learning courses about other elements of data

              handling on Civil Service Learning.


82.    However:



           a. When asked what percentage of Cabinet Office employees had
              completed the mandatory data protection training in the two

              years prior to the incident, the Cabinet Office confirmed there

              are seven modules in the "Responsible for Data" e-Learning
              which were completed between 3,517 and 4,070 times in the

              period encompassing the data breach. They were unable to

              provide a percentage but estimated take up of the training is

                                    31                                                   ICO.
                                                   Information Commissioner's Office
   widespread "but could vary between roughly half and most of
   the staff in the department at any given time".



b. Employees in the Press Office and Digital Team, who were also
   involved in the process of the data being published, had not

   received data protection training in the last two years.


c. There was a 'desk note' of instructions which articulated the

   process for running the           reports which produce the

   final Honours lists available to employees via Google Drive.
   However, the desk note reflected the            report as it

   should have been set up. It did notinclude a check to ensure
   personal data that should not have been present was removed.



d. The Cabinet Office said the data hub does not cover redaction
   of documents to remove personal data and that "Staff in the

   Secretariat were not explicitly trained on this point, in part

   because had the report been set up correctly, it should not have
   been necessary". However, in mitigation to the above they said

   "However, as part of their wider data training, they were aware

   that postal address information constituted personal data which
   should not be disclosed".


This is particularly relevant to the data breach, as the employee

involved believed that hiding the data in the CSV file involved in

the data breach was a sufficient method to remove it.


e. There was no specific or written sign-off process in place in the

   HAS before sending documents containing personal data for
   release to ensure the content was suitable for publication, even

   after formatting errors were identified with the second version

                         32                                                   ICO.
                                                   Information Commissioner's Office
   of the CSV file when delivered via email to the Press Office. In

   relation to the identification of the formatting errors, the
   Cabinet Office said, "In retrospect, this incident should have

   then automatically triggered a formal review point to check that

   the final version was correctly amended".


f. As set out above, the error with the report functionality

   including the postal address data was identified by the HAS

   Operations team on 19 December 2019 before the data breach
   occurred, which   presented  the  Cabinet  Office with the

   opportunity to implement measures to sufficiently protect the

   data and mitigate the risk of it being handled incorrectly in
   error. The data breach later occurring demonstrates the risk of

   the postal address data being handled incorrectly was not

   sufficientlymitigated   by   appropriate  technical  and/or
   organisational measures. If the Cabinet Office had introduced

   further measures following the identification of the error with

   the           report, they could have reduced the likelihood of
   the postal address data being disclosed in error. Examples of

   such measures include:



      i. Amending   the  desk   note  to  include  robust  and
        prescriptive instructions on the correct method to remove

        the postal address data in the CSV file generated which

        was not to be included in the list publication.


     ii. Implementing a sign-off procedure to check the postal

        address data had been removed correctly, in accordance
        with the instructions provided above, before delivering

        the final version to the Press Office for publication.



                        33                                                             ICO.
                                                             Information Commissioner's Office
83.    The nature of the publication of the Honours list is and was such that

       the document may need regular changes, possibly at the last minute.
       This, coupled with the fact that some of the data on the spreadsheet

       referred to vulnerable (to reflect the terminology adopted by the

       Cabinet Office) or high-profile individuals, meant that the security
       measures   involved  should, in  order  to  demonstrate   effective

       organisational and technical controls, have been more detailed and

       taken greater care to address the risks presented in the processing of
       the data set, including its eventual publication.



      Any relevant previous infringements


84.    No relevant previous infringements have been identified.



      The degree of cooperation with the Commissioner


85.    The Cabinet Office has been cooperative and responsive with the ICO's

       investigation. In particular:


           a. The initial Personal Data Breach Report for the data breach was

              submitted within 72 hours of becoming aware, in line with
              Article 33 (1) of the GDPR.

           b. Two conference calls took place between the ICO and the

              Cabinet Office early-on in the ICO's investigation.
           c. The Cabinet Office have answered four rounds of written

              enquiries sent by the ICO albeit some of the responses were

              not as clear as they might have been.
           d. The Cabinet Office have been open with the ICO regarding the

              failures/factors which contributed to the data breach.




                                   34                                                          ICO.
                                                          Information Commissioner's Office

      The categories of personal data affected by the infringement


86.   The data disclosed was location data (i.e. postal addresses). Some of
      the data affected was already in the public domain. However, numerous

      postal addresses which were not in the public domain were made public

      by the data breach. There were 207 such entries with addresses - which
      is not an insubstantial amount.



     The manner in which the infringement became known to the
     Commissioner


87.   The infringement became known to the Commissioner as a result of the

      Cabinet Office submitting a Personal Data Breach Report to the ICO

      within 72 hours of becoming aware of the data breach in accordance
      with Article 33(1) of the GDPR.


     Where measures referred to in Article 58(2) have previously

     been ordered against the controller or processor concerned with

     regard to the same subject-matter, compliance with those
     measures


88.   Not applicable.



     Adherence to approved codes of conduct pursuant to Article 40
     or approved certification mechanisms pursuant to Article 42



89.   Not applicable.


     Aggravating and mitigating factors




                                  35                                                               ICO.
                                                               Information Commissioner's Office
90.    Beyond the matters referred to above there were no other significant

       factors that aggravate or mitigate the infringement.


Deterrent Effect


91.    The Cabinet Office is a long-established organisation at the heart of

       government that processes a variety of data across a range of activities.

       It has   the  standing,  access  to  resource  and  expertise,  and
       sophistication to provide a high standard of organisational and technical

       measures in comparison to, for example, a small private sector

       organisation or a small public authority. Organisations that have the
       means to do so, are expected to take the most stringent possible

       preventative measures. The Cabinet Office would have incurred very

       little, if any, cost in implementing a procedure that could have

       prevented the data breach.


92.    Further, the honours list is an annual process involving high profile and

       vulnerable individuals. The Cabinet Office should have been more aware
       of the need for strong security arrangements. Following an external

       review initiated by the Cabinet Office, cultural challenges were

       identified in regard to data protection requirements.


93.    For the avoidance of doubt, the Cabinet Office has not been held to a

       higher standard than another like controller, merely a high standard in

       relation to an important and high-profile processing activity undertaken
       by it. The Cabinet Office has the standing, access to resource and

       expertise, and   sophistication to  provide  a   high  standard   of

       organisational and technical measures. The penalty reflects the Cabinet

       Office's breach when considered in that context, albeit some reduction
       has been made to the penalty to reflect the Cabinet Office's

       representations with regard to deterrent effect.


                                    36                                                             ICO.
                                                             Information Commissioner's Office
Reducing the amount to reflect anymitigating factors, including ability
to pay



94.   The Commissioner is not aware of any financial hardships or factors
       that would reduce the Cabinet Office's ability to pay. Whilst the

       Response to the Notice of Intent refers to the current strain on public

       finances including as a result of the Covid-19 pandemic, no specific
       figures or details were provided in relation to the extent of any such

       strain or hardship on the Cabinet Office. Nor does the Commissioner
       consider there are any other factors that should lead to a reduction in

       the penalty amount.


95.   The spending and budget of the Cabinet Office was previously

       understood to be in excess of £1 billion in 2019/20. However, in the

       Response to the Notice of Intent, the Cabinet Office stated that the
       appropriate budget amount was £381 million. The Commissioner

       accepts that £381 million is the appropriate budget figure. For the

       avoidance of doubt, the Cabinet Office's spending/budget has not been
       used in any sort of mechanistic fashion to determine the penalty

       amount. Rather it was considered that the Cabinet Office is of sufficient
       size to be able to withstand the proposed penalty. This position holds

       true even on the basis of the Cabinet Office's budget being £381 million.


96.   Taking into account all of the above, the Commissioner is of the view

       that a penalty in the sum of £500,000 is effective, proportionate and

       dissuasive.


Summary and decided penalty


97.    For the reasons set out above, the Commissioner has decided to impose

       a financial penalty on the Cabinet Office.

                                   37                                                              ICO.
                                                              Information Commissioner's Office

98.    Taking into account all of the factors set out above, the Commissioner

       has decided to impose a penalty in the amount of   £500,000 (five
       hundred thousand pounds).



Payment of the penalty


99.    The penalty must be paid to the Commissioner's office by BACS transfer

       or cheque by 14 December 2021 at the latest. The penalty is not kept
       by the Commissioner but will be paid into the Consolidated Fund which

       is the Government's general bank account at the Bank of England.


100.   There is a right of appeal to the First-tier Tribunal (Information Rights)

       against:


           (a)  the imposition of the monetary penalty and/or;



           (b)  the amount of the penalty specified in the monetary penalty
           notice.



101.  Any notice of appeal should be received by the Tribunal within 28 days
      of the date of this monetary penalty notice.


102.  Information about appeals is set out in Annex 1.


103.  The Commissioner will not take action to enforce a monetary penalty

      unless:


      • the period specified within the notice within which a monetary

        penalty must be paid has expired and all or any of the monetary
        penalty has not been paid;



                                    38                                                           ICO.
                                                           Information Commissioner's Office
     • all relevant appeals against the monetary penalty notice and any

       variation of it have either been decided or withdrawn; and


     • period for appealing against the monetary penalty and any variation
       of it has expired.


104. In England, Wales and Northern Ireland, the monetary penalty is
      recoverable by Order of the County Court or the High Court.

      Scotland, the monetary penalty can be enforced in the same manner
      as an extract registered decree arbitral bearing a warrant for execution

      issued by the sheriff court of any sheriffdom in Scotland.



Dated the 15th day of November 2021








Elizabeth Denham
Information Commissioner
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF














                                  39                                                             ICO.
                                                             Information Commissioner's Office
ANNEX 1


RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER


      1.   Section 55B(S) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the 'Tribunal')

      against the notice.


      2.   If you decide to appeal and if the Tribunal considers:e


           a)    that the notice against which the appeal is brought is not in

           accordance with the law; or


           b)    to the extent that the notice involved an exercise of

           discretion by the Commissioner, that she ought to have exercised
           her discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as
      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.   You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:


                 General Regulatory Chamber
                 HM Courts & Tribunals Service
                 PO Box 9300
                 Leicester

                 LE1 8DJ
                 Telephone:  0203 936 8963
                 Email:      grc@justice.gov.uk



                                   40                                                         ICO.
                                                         Information Commissioner's Office
      a)   The notice of appeal should be sent so it is received by the
      Tribunal within 28 days of the date of the notice.



      b)   If your notice of appeal is late the Tribunal will not admit it
      unless the Tribunal has extended the time for complying with this

      rule.


4.    The notice of appeal should state:e



      a)   your name and address/name and address of your
      representative (if any);


      b)    an address where documents may be sent or delivered to

      you;


      c)    the name and address of the Information Commissioner;



      d)   details of the decision to which the proceedings relate;


      e)   the result that you are seeking;


      f)   the grounds on which you rely;


      g)   you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)   if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for an extension of time

      and the reason why the notice of appeal was not provided in
      time.



                              41                                                   ICO.
                                                    Information Commissioner's Office
5.   Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier

Tribunal (Information Rights) are contained in section 55B(S) of, and
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
































                            42