ICO (UK) - Cabinet Office: Difference between revisions
Mariam-hwth (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...") |
No edit summary |
||
(3 intermediate revisions by one other user not shown) | |||
Line 50: | Line 50: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor=MH | ||
| | | | ||
}} | }} | ||
The | The UK DPA (ICO) imposed a fine of approximately €585,739 (GBP 500,000) on the Cabinet Office for a data breach in violation of Articles 5(1)(f) and 32(1) GDPR. The New Years 2020 Honours List was published including postal addresses for the recipients of the Honours. | ||
== English Summary == | == English Summary == | ||
Line 70: | Line 70: | ||
=== Holding === | === Holding === | ||
The United Kingdom Data Protection Authority ( | The United Kingdom Data Protection Authority (ICO) held that the Cabinet Office had contravened Article 5(1)(f) of the General Data Protection Regulation (GDPR) when erroneously publishing the CSV file containing the data subjects’ postal addresses. | ||
The ICO also considered that the Cabinet Office had infringed [[Article 32 GDPR#1|Article 32(1) GDPR]] as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security. | The ICO also considered that the Cabinet Office had infringed [[Article 32 GDPR#1|Article 32(1) GDPR]] as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security. | ||
Line 77: | Line 77: | ||
The ICO considered that a monetary penalty was appropriate given: | The ICO considered that a monetary penalty was appropriate given: | ||
* the number of individuals affected; | |||
* the damage or harm (eg distress and/or embarrassment); and | |||
It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects) | * failure to apply reasonable technical and organisational measures to mitigate any breach | ||
It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects) | |||
The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication. | The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication. | ||
The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included: | The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included: | ||
* removing the CSV file completely after 2.5 hours; | |||
* 2.5 hours was a short time frame for accessibility; and | |||
* most access occurred prior to the CSV file being completely deleted (when just the link was removed). This indicated that the first steps taken by the Cabinet Office were generally successful, even if the CSV file was still technically accessible in other ways. | |||
The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed. | The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed. | ||
Latest revision as of 10:48, 7 December 2021
ICO (UK) - Cabinet Office | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 33(1) GDPR Paragraph 15(1), Part 2, Schedule 2 Data Protection Act 2018 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 15.11.2021 |
Published: | 02.12.2021 |
Fine: | 500000 GBP |
Parties: | Cabinet Office |
National Case Number/Name: | Cabinet Office |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | MH |
The UK DPA (ICO) imposed a fine of approximately €585,739 (GBP 500,000) on the Cabinet Office for a data breach in violation of Articles 5(1)(f) and 32(1) GDPR. The New Years 2020 Honours List was published including postal addresses for the recipients of the Honours.
English Summary
Facts
On 27 December 2019, the UK Cabinet Office (department of the Government of the United Kingdom) published the content page of the New Years 2020 Honours List on its website. The content page contained a link to a CSV file version of the Honours list that was not adequately edited to remove personal data. The CSV file contained the postal address of Honours recipients in a column that had been “hidden” rather than completely “deleted” from the CSV file. Despite the various steps taken before publishing the CSV file, no one within the Cabinet Office teams working on the Honours List noticed that the column was only “hidden”. The column was still there and became apparent again once the CSV file was made available online on gov.uk.
The Cabinet Office was alerted of the data breach by a member of the Government Communications Team. The Cabinet Office then republished the content page without the link to the CSV file. However, anyone who had the exact URL to the CSV file already could still access it despite this change. This is because documents cannot be removed from the gov.uk website once they have been published.
The issue was escalated and eventually the CSV file was permanently deleted around 2 hours and 30 minutes after it was first made available. It was found that the CSV file was accessed 3872 times from 2798 IP addresses.
The Cabinet Office alerted affected data subjects within 48 hours of the data breach and submitted a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the breach.
The Cabinet Office confirmed there was no written process in place to approve documents containing personal data prior to being published to ensure the content was suitably redacted. Additionally, the Cabinet Office’s page for best practice on data handling had not been updated for six months despite the implementation of a new software used to produce the Honours List (which contained a column for addresses). There were various other security concerns identified in an independent review commissioned by the Cabinet Office (accessibility of data to team members that do not need to have access; lack of testing of software to ensure they are robust enough; lack of monitoring of training for staff).
Holding
The United Kingdom Data Protection Authority (ICO) held that the Cabinet Office had contravened Article 5(1)(f) of the General Data Protection Regulation (GDPR) when erroneously publishing the CSV file containing the data subjects’ postal addresses.
The ICO also considered that the Cabinet Office had infringed Article 32(1) GDPR as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security.
The ICO investigated the Exemption within Paragraph 15(1) of Part 2 of Schedule 2 of the Data Protection Act 2018, which excludes the application of various rights and obligations to personal data processed for the purposes of conferring an honour or dignity (given by the Government under the name “the Crown”). Article 5 is listed as a provision that the data controller would not have to comply if the exemption applied. However, the ICO deemed that this did not apply as the contravention of Article 5(1)(f) as the erroneous publication of addresses was a result of a data security incident (rather than rights and obligations).
The ICO considered that a monetary penalty was appropriate given:
- the number of individuals affected;
- the damage or harm (eg distress and/or embarrassment); and
- failure to apply reasonable technical and organisational measures to mitigate any breach
It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects)
The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication.
The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included:
- removing the CSV file completely after 2.5 hours;
- 2.5 hours was a short time frame for accessibility; and
- most access occurred prior to the CSV file being completely deleted (when just the link was removed). This indicated that the first steps taken by the Cabinet Office were generally successful, even if the CSV file was still technically accessible in other ways.
The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed.
The ICO also highlighted the steps taken by the Cabinet Office to reduce the likelihood of similar events occurring in the future. For example, reviewing technical processes, issuing guidance on removing personal data, providing training sessions to staff members, engaging in an independent review of data handling policies, processes, practice and culture.
Additionally, the ICO found that the data breach stemmed from a build error of the new software used to produce the Honours List. This generated the list to include postal address data in error. Accordingly, the Cabinet Office was responsible for the breach as the Digital and Technology team built the system. Lack of training and guidance available for staff members, including those in the Digital team, was also an important factor.
The ICO therefore imposed a fine of approximately €585,739 on the Cabinet Office as an effective, proportionate and dissuasive penalty.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
ICO. Information Commissioner's Office DATA PROTECTION ACT 2018 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Cabinet Office Of: 70 Whitehall, London, SW1A 2AS 1. The Information Commissioner ("the Commissioner") has decided to issue the Cabinet Office with a penalty notice pursuant to section 155 of the Data Protection Act 2018 ("DPA"). This penalty notice imposes an administrative fine on the Cabinet Office, in accordance with the Commissioner's powers under Article 83 of the GDPR. The amount of the penalty is £500,000 (five hundred thousand pounds). 2. The penalty is being issued because of contraventions by the Cabinet Office of Articles 5(1)(f) and 32(1) of the GDPR in that, on 27-28 December 2019, the Cabinet Office in error published on GOV.UK a CSV file which included full correspondence (postal) addresses of-data subjects (all of whom were 2020 New Year Honours recipients), resulting in a disclosure of personal data. This was a breach of Article 5(1)(f) of the GDPR as the Cabinet Office did not process personal data in a manner that ensured appropriate security of the personal data. Further, at the time of and in the run up to the aforementioned breach, the Cabinet Office did not have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of data for the purpose of the 2020 New Year Honours List in breach of Article 32(1) of the GDPR. I ICO. Information Commissioner's Office 3. This penalty notice explains the Commissioner's reasons for imposing such a penalty, and for the amount of the penalty. Prior to issuing this penalty notice, the Commissioner carefully considered the Cabinet Office's Response to Notice of Intent dated 16 September 2021. Legal Framework 4. The Cabinet Office is a data controller for the purposes of the GDPR and DPA 2018 because it determines the purposes and means of the processing of the personal data associated with this incident (Article 4(7) of the GDPR). 5. "Personal data" is defined by Article 4(1) of the GDPR to mean: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" 6. "Processing" is defined by Article 4(2) of the GDPR to mean: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction,erasure or destruction" 2 ICO. Information Commissioner's Office 7. Data controllers are subject to various obligations in relation to the processing of personal data as set out in the GDPR and DPA 2018. They are obliged by Article 5(2) of the GDPR to adhere to the data processing principle set out in Article 5(1). 8. Article 5(1)(f) of the GDPR provides that personal data shall be: "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')". 9. Article 32 of the GDPR provides: "(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 3 ICO. Information Commissioner's Office (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (2) In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed." 10. The Commissioner is the supervisory authority for the United Kingdom as provided for by Article 51 of the GDPR. 11. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor and enforce the application of the GDPR. 12. By Article 58(1)(d) of the GDPR, the Commissioner has the power to notify controllers of alleged infringements of the GDPR. By Article 58(2)(i), the Commissioner has the power to impose an administrative fine in accordance with Article 83 in addition to or instead of the other corrective measures referred to in Article 58(2), depending on the circumstance of each individual case. 13. By Article 83(1), the Commissioner is required to ensure that administrative fines issued in accordance with Article 83 are effective, proportionate and dissuasive in each individual case. 14. Article 83(2) goes on to set out a number of factors to which the Commissioner should have regard when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case. 4 ICO. Information Commissioner's Office 15. The DPA 2018 contains enforcement provisions in part 6 which are exercisable by the Commissioner. Section 155 DPA 2018 provides in relevant part: "(1) If the Commissioner is satisfied that a person- (a) has failed or is failing as described in section 149(2), (3), (4) or (5),... the Commissioner may, by written notice, require the person to pay to the Commissioner an amount in sterling specified in the notice. (2) Subject to subsection (4), when deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must have regard to the following, so far as relevant- (a) to the extent that the notice concerns a matter to which the UK GDPR applies, the matters listed in Article 83(1) and (2) of the UK GDPR ,, 16. Section 149(2) DPA 2018 provides in relevant part: "The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following: (a)e provision of Chapter II of the UK GDPR or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing) ,, 5 ICO. Information Commissioner's Office Background Facts Overview 17. On Friday 27 December 2019 at 22:e 0 the Cabinet Office published the content page for the New Year 2020 Honours List on GOV.e K. This was completed via a scheduled automatic publication set up by the Cabinet Office Publishing Team. 18. The content page as published contained a link to a comma-separated values ("CSV") file version of the Honours list, which in error included the correspondence (postal) addresses of Honours recipients. This resulted in an unauthorised disclosure affecting - data subjects 19. The Cabinet Office Press Office was alerted to the data breach by a member of the Government Communications Team who had "identified the data breach by chance". After becoming aware of the breach, at 22: 59 on 27 December 2019 the Cabinet Office Publishing Team republished the content page removing the link to the CSV file. However, as files uploaded onto GOV.e K are automatically cached on a content delivery network, the file continued to be accessible online to people who had the exact webpage URL. 20. The Cabinet Office contacted the Government Digital Service (GDS) at 23: 34 for GDS to assist with removing the CSV file, as although the Cabinet Office can edit pages and remove links, they cannot remove documents from the GOV.e K website once they have been published. -the issue was escalated within GDS and support was obtained 6 ICO. Information Commissioner's Office from a developer. This resulted in the CSV file being permanently deleted at 00: 51 on 28 December 2019. 21. Therefore, in total, the CSV file containing the postal address data was accessible from 22: 30 on 27 December 2019 to 00: 51 on 28 December 2019 - a period of two hours and 21 minutes. During that time the CSV file was accessed 3,872 times from 2,798 IP addresses. 22. Although the file was accessible via the cache until 00: 51, the Cabinet Office Publishing Team republished the content page at 22: 59 which removed the link to the file. The Cabinet Office's logs show most of the access to the file (72%) occurred in the initial period before the link was removed and access declined over time. 23. Affected data subjects were contacted within 48 hours of the data breach via email or telephone (if data subjects did not have an email address, the email had bounced back, or if there was an out-of-office message) where possible on 28 and 29 December 2019. Approximately 11 data subjects were not contactable via either telephone or email and needed a hard copy letter to be posted to them. Following this, a hard copy letter was posted to all affected data subjects on 30 December 2019. 24. The Cabinet Office submitted a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the data breach in accordance with Article 33(1) of the GDPR. 7 ICO. Information Commissioner's Office Circumstances surrounding the data breach 25. The Honours and Appointments Secretariat ("HAS") in the Cabinet Office coordinates the Honours system and processes all public nominations. 26. A new IT system was introduced within HAS in 2019. was built between January and June 2019 and was in use from July 2019. The 2020 Honours round was the first to use the new system. 27. The report which generated the CSV file was incorrectly formulated to include postal address data which it should not have done and was not an element requested in the original build requirements. The Cabinet Office's Digital and Technology Team was responsible for building the system. 28. Although testing took place on the report by the Cabinet Office's Digital and Technology Team and the HAS Operations Team, the postal address column went unnoticed during the testing process which the Cabinet Office has said they believe was due to the large number of fields in the spreadsheet and the focus on ensuring the list of successful Honours recipients was accurate. 29. A 'desk note' of instructions had been produced to articulate the process for running the reports which produce the final Honours lists. These instructions were available to employees via Google Drive. However, these instructions reflected the report as it should have been set up and did not include a check to ensure personal data that should not have been included therein was removed. 8 ICO. Information Commissioner's Office 30. On 19 December 2019, the error with the report incorrectly including postal address data was identified by the HAS Operations Team. However, due to short timescales between finalising amendments to the list and the deadline for giving the lists to the Press Office for publication "the decision was taken to amend the output as opposed to the report build itself". 31. On 23 December 2019 following certain changes to the Honours list, a second report was run to generate the CSV file for publication. This was completed by an employee not usually responsible for the process. This employee "was aware that postal address information should not be in the report and altered it to hide the information". Due to this, the CSV file incorrectly included postal address data which had been hidden but was still contained in the document as it had not been deleted. The Cabinet Office has subsequently stated "we acknowledge that the information should have been deleted". This version of the CSV file was sent to the Press Office on the same date. 32. On 24 December 2019 a opened and reviewed the documents sent to the Press Office on 23 December 2019 and identified formatting errors which needed correcting. The emailed the HAS Operations team on 24 December 2019 to highlight the formatting errors. The Cabinet Office said inclusion of the postal address data was not identified by the as it was not visible. In relation to this event, the Cabinet Office said, "In retrospect, this incident should have then automatically triggered a formal review point to check that the final version was correctly amended." 9 ICO. Information Commissioner's Office 33. On 24 December 2019 a third and final report was run to make the corrections requested by the . This report again generated a CSV file incorrectly including postal address data. 34. As the postal address data was hidden, the employee sending the document to the Press Office on 24 December 2019 thought the postal address data had been removed when "in reality it was still there and became visible when the document was uploaded to gov.uk". When asked if it was the same employee who hid the data as who sent the document to the Press Office, the Cabinet Office confirmed two people were involved in the process. 35. The Cabinet Office's internal investigation report said the email sent to the Press Office on 24 December 2019 "was copied to the - - and a small number of HAS members, but did not include the relevant Director or senior press office staff". The Cabinet Office confirmed that the copied into the email was the same person who identified the formatting errors with the version produced on 23 December 2019. However, the was on annual leave on 24 December 2019 when the final version was sent to the Press Office. 36. The Press Office received the final version of the CSV file on 24 December 2019, which incorrectly included the postal address data. It is understood the covering email "indicated that the previous issue had been resolved". The final CSV file was not opened by the Press Office before they completed a web publication form and sent this and the documents they had received to the Digital Team for publication on the same date, as they relied upon reassurance from the HAS in the covering email that the document was the final version. The Cabinet 10 ICO. Information Commissioner's Office Office stated that "the press office and digital teams were not responsible for reviewing the data for sensitivities of this type". 37. On 27 December 2019 the Press Office checked with the HAS that there had been no further changes and were told by the that this was correct. Therefore they "assumed that the document was still the final version to publish". 38. On 27 December 2019, the work to prepare the publication was completed by the Digital Team. At this point the Digital Team checked with the Press Office that there had been no changes to the documents. Checks for formatting, accessibility standards and correct functionality were completed by the Digital Team as per the standard process. However, these did not include any assessment of the substance, "as the team is not best placed to make any judgements" on the content and "it is clear that the documents need to be final signed-off versions". The documents were subsequently included in the content page for automatic publication. 39. The Cabinet Office has stated that "it has always been standard practice for the [HAS] Team to undertake a final review of the list documents before publication to ensure, for example, that there is no sensitive data present and that the information is presented in the correct format. This review is not intended to require or result in extensive amendments, as that would indicate that the underlying data had been incorrectly entered in the database or that the report had been set up wrongly". However, the Cabinet Office confirmed there was no specific or written process in place in the HAS to sign-off or approve documents containing personal data prior to being sent for release to ensure the content was suitable for publication. 11 ICO. Information Commissioner's Office 40. The Cabinet Office's internal investigation report included three recommendations for improvement following the incident, demonstrating certain measures were not present at the time the data breach occurred: a. Recommendation 1: That the Honours IT system is updated and re-tested to ensure that a publication-ready document is produced when the report is run, which does not include address or other sensitive data. The Desk Instructions should be amended to ensure the report is always checked so that it only ever includes data that can be published. b. Recommendation 2: Ensure clear line of accountability for sign off for documents that will be published and that there are clear instructions in the email, which give sufficient detail so others can check. c. Recommendation 3: Press Office and Digital Communications ensure that the process for removing documents published in error is clearly understood, including for out of hours. 41. An independent review led by Adrian Joseph and commissioned by the Cabinet Office reviewed wider data handling processes/practices within the Cabinet Office. That review includes the following observations: "Breaches, such as the one that impacted New Year's Honours recipients in December 2019, are too easily assigned to human error where a greater consistency of process, controls and culture across Cabinet Office could have reduced the risk systemically. There is a significant risk that further and more impactful breaches 12 ICO. Information Commissioner's Office will occur as the amount of personal data being handled by the Department increases. The Cabinet Office identified two main factors that had contributed to the breach: the introduction of a new IT software package, which had included an additional field with individuals' addresses; and a lack of clarity about sign-off processes for the final versions of the documents that went online, and in the context of the new IT system." 42. The review also highlighted the following concerns relevant to the incident: a. Whilst different documents exist on the Cabinet Office's intranet page regarding best practice on data handling, these documents are not regularly updated or promoted throughout the Department; "The GDPR Hub, for example, has not been updated since May 2019". b. There appear to be issues with access restrictions which are "often imposed too late and there are examples of personal data being accessible to whole teams". c. Cabinet Office structures regularly change with new business units often being stood up to deliver on urgent political priorities. "The pace required to deliver on these priorities was cited by some business units and stakeholders as potentially compromising the disciplines of good personal data handling". d. Some teams have built additional checks into their processes, including validating data being transferred between Government Departments, "however, in some instances it would be possible to eliminate human error altogether by fixing failings in IT systems. For example, in one software system it 13 ICO. Information Commissioner's Office is possible to accidentally send personal information about one individual to another, unconnected, individual whose details are also held in the same system". e. "Interviewees raised a number of concerns around the procurement of new software to run their data handling processes. Some said that financial considerations meant that off-the-shelf solutions were chosen to run processes that, given their complexity, warranted bespoke solutions". f. "Another concern raised by a number of teams was that software had not undergone sufficiently robust or extensive testing in advance of being rolled out. The reasons cited included lack of both staff and money, lack of expertise within the commissioning teams, and projects being rolled out too quickly in order to meet Ministerial commitments. In all instances considered by the Review these risks had been signed off by senior managers or Ministers". g. "...training is not monitored across the organisation. One team interviewed for the Review had set up their own training log, but most did not actively monitor which members of their teams had completed the training". Apology 43. On 7 January 2020, the Minister for the Cabinet Office made a statement to Parliament by which the Cabinet Office gave a public apology in relation to the incident. Notice of Intent 44. On 4 August 2021, in accordance with section 155(5) and paragraphs 2 and 3 of Schedule 16 DPA 2018, the Commissioner issued the Cabinet 14 ICO. Information Commissioner's Office Office with a Notice of Intent to impose a penalty under section 155 DPA 2018. The Notice of Intent described the circumstances and the nature of the personal data in question, explained the Commissioner's reasons for the proposed penalty of £600,000, including what she regarded as the aggravating and mitigating factors, and invited written representations from the Cabinet Office. 45. On 16 September 2021, the Cabinet Office provided written representations in response to Notice of Intent. The key representations made by the Cabinet Office were: a. the level of the fine is disproportionate to the scale of the breach (particularly taking into account that of the addresses revealed the majority were already readily accessible in the public domain); b. the proposed penalty does not take into account the extensive immediate and long-term action taken by the Cabinet Office to mitigate the consequences of the breach and was not determined in accordance with the statutory guidance reflected in the Commissioner's Regulatory Action Policy; c. the proposed penalty does not adequately reflect the statement made to Parliament by the Minister for the Cabinet Office on 7 January 2020 and the apology contained within that statement and this statement does not appear to have been taken into account adequately when the Notice of Intent was formulated; and d. The breaches do not warrant an administrative penalty and that another sanction such as that set out Article 58(2)(b) GDPR would be more appropriate. 15 ICO. Information Commissioner's Office 46. The Cabinet Office's representations have been considered in full. Having taken these representations and all other factors into account, the Commissioner has decided to issue a monetary penalty in the sum of £500,000. Breaches of GDPR Contravention of Article 5(1)(f) of the GDPR 47. Article 5(1)(f) of the GDPR has been contravened as the Cabinet Office, the controller, published the CSV file on GOV.e K which included full correspondence (postal) addresses of data subjects in error, resulting in a disclosure of personal data. 48. By Article 5(2) it is the controller who is responsible for and must be able to demonstrate compliance with Article 5(1). Contravention of Article 32 of the GDPR 49. Article 32(1) of the GDPR has been contravened as the Cabinet Office, the controller, did not have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of data for the purpose of the 2020 New Year Honours List. Exemptions 50. Paragraph 15 (1) of Part 2 of Schedule 2 to the DPA 2018 provides: 16 ICO. Information Commissioner's Office "The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity." 51. Paragraph 6 of Part 2 of Schedule 2 to the DPA 2018 provides (emphasis added): "In this Part of this Schedule, "the listed GDPR provisions" means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)- (a) Article 13(1) to (3) (personal data collected from data subject: information to be provided); (b) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided); (c) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers); (d) Article 16 (right to rectification); (e) Article 17(1) and (2) (right to erasure); (f) Article 18(1) (restriction of processing); (g) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing); (h) Article 20(1) and (2) (right to data portability); (i) Article 21(1) (objections to processing); (j) Article S (general princip les) so far as its provisi ns correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).e 52. The contravention of Article 5(1)(f) of the GDPR in the present case arises from a data security incident not from the rights and obligations at paragraph 6(a)-(i) of Part 2 of Schedule 2 to the DPA 2018 - the exemption therefore does not apply. 17 ICO. Information Commissioner's Office The Regulatory Action Policy 53. When deciding to impose a monetary penalty and when setting the amount of that penalty, the Commissioner had regard to and acted in accordance with the Regulatory Action Policy. 54. In deciding to impose a monetary penalty, the Commissioner had regard to all of the factors set out on page 24 of the Regulatory Action Policy and assessed this case objectively on its own merits. In all the circumstances, a monetary penalty was considered appropriate given: a. the number of individuals affected; b. there was a degree of damage or harm (which may include distress and/or embarrassment); and c. there was a failure to apply reasonable measures to mitigate any breach (or the possibility of it). 55. In setting the amount of the penalty, the Commissioner applied the five step approach set out in the Regulatory Action policy: a. At step 1, the Commissioner determined that there were no discernible financial gains identified or losses avoided in relation to the incident. b. At step 2, the Commissioner had regard to the scale and severity of the breach by taking into account the considerations identified in sl 55(2)-(4) DPA 2018. c. At step 3, the Commissioner determined that there were no additional aggravating factors. 18 ICO. Information Commissioner's Office d. At step 4, the Commissioner determined that in view of the factors set out below, an amount should be added to the penalty otherwise payable in order to act as a deterrent. e. At step 5, the Commissioner determined that there were no other factors (including ability to pay) on which to reduce the amount of the monetary penalty. Article 83(2) GDPR 56. The Commissioner has considered the factors set out in Article 83(2) GDPR in deciding whether to impose a penalty and when deciding on the amount of the penalty as follows: Nature, gravity and duration of the infringement 57. The data breach was a security incident whereby the confidentiality of personal data (postal addresses) was compromised by inclusion in the CSV file that was published in the public domain. The data breach was caused by or contributed to by the absence of appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of the data in breach of Article 32(1). 58. The CSV file which contained the postal address data was live and publicly accessible in the public domain via GOV.e K for two hours and 21 minutes, - a relatively short duration. However, during the period in which the CSV file was accessible, where it could be either viewed in a web browser or downloaded, it was accessed 3,872 times from 2,798 unique IP addresses. Further, the Cabinet Office was well aware that the New Year's Honours list is a high-profile event which attracts considerable interest such that publication of this data set would place 19 ICO. Information Commissioner's Office the associated data in the public domain in a high demand arena, with accesses likely to take place quickly and on a relatively large scale. 59. Although the data disclosed was basic personal identifiers and, in error, location data (i.e. postal addresses) as opposed to more sensitive data such as special category data or criminal conviction data, the personal data disclosed related to - data subjects across the United Kingdom who are from a broad range of professions and include various high profile peopThe personal data was published in the public domain and therefore accessible to anyone, as opposed to for example, being disclosed to other individuals who also had a high profile and therefore who would likely hold a shared interest in keeping the data secure. 60. The Cabinet Office confirmed that 207 data subjects out of a total of - affected had postal addresses that were not obviously in the public domain prior to the breach. 20 ICO. Information Commissioner's Office 64. The Cabinet Office has stated that it has been informed by policee that there is no information to suggest an increased risk in relation to any persons as a result of the data breach. 65. There is, however, evidence that the data breach has caused distress to some of the affected data subjects. The ICO has received three complaints from affected data subjects raising personal safety concerns resulting from the breach. The Cabinet Office has also been contacted by 30 affected data subjects with 27 of those contacts relating to concerns about the possible impact on the individual's personal safety, largely as a result of pre-existing considerations. 66. The Cabinet Office also acknowledged in its initial breach report that the data breach gave rise to a possible increase in vulnerability to identity fraud, caused by the combination of names, postal addresses and, in a number of instances, the type of work they undertake being published. 21 ICO. Information Commissioner's Office 67. The Cabinet Office further stated that "To our knowledge, there has been a single instance, on 29 December, of a badly-redacted screenshot of the data being posted on Twitter. We asked Twitter to remove the tweet as a violation of their terms of service and this was carried out the same day"and "there is no evidence that the personal data involved in this incident has been inappropriately disseminated more widely, or indeed at all" 68. In all the circumstances, the data breach was serious and could easily have been avoided. Further, the Cabinet Office had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The gravity of the failure was, then, very high. Intentional or negligent 69. The infringements were negligent. 70. The data breach had the potential to occur due to a build error with the newly introduced IT system within the HAS. Specifically, the report which generated the CSV file was incorrectly formulated to include postal addresses in error. The original build requirements did not include a postal address field. The erroneous inclusion of the postal address data was not identified when the report was tested by Cabinet Office staff. 71. However, the error with the report functionality including the postal address data was identified by the HAS Operations Team on 19 December 2019. This date is before the data breach occurred and presented the Cabinet Office with the opportunity to implement 22 ICO. Information Commissioner's Office measures to sufficiently mitigate the risk and protect the data. The Cabinet Office did not do so. 72. Upon identification of the error with the report functionality "the decision was taken to amend the output as opposed to the report build itself". This was because of the short timescales between finalising amendments to the list and the deadline for giving the lists to the Press Office. Due to this decision, any outputs generated from the report would therefore continue to include the postal address data in error which would have left the data open to the risk of inadvertent publication. This is demonstrated by the data breach later taking place. 73. The ICO queried if all employees within the HAS were made aware of the requirement to remove the personal data (postal address data) before processing the generated reports once the error with the report was identified by the HAS Operations Team. The Cabinet Office confirmed only 22 people have access to the system. Information about the report functionality was relevant to only five members of the HAS Operations Team. These five employees were verbally advised of the requirement to remove the postal address data. However, employees were not issued any guidance on how to remove the data. The Cabinet Office said as "was a new system, and in effect a new process, the team were responsible for identifying solutions to the issues identified throughout the process" 74. Employees relied on the desk note to produce the reports which did not reflect the report as it was set up, and did not include a check to ensure personal data that should not have been included was removed. 23 ICO. Information Commissioner's Office 75. Additionally, there was no specific or written sign-off process in place in the HAS before sending documents containing personal data for release to ensure the content was suitable for publication, even after formatting errors were identified in the second version of the CSV file when it was delivered via email to the Press Office. In relation to the formatting errors with the second version of the CSV file, the Cabinet Office said, "In retrospect, this incident should have then automatically triggered a formal review point to check that the final version was correctly amended". 76. The Cabinet Office had the opportunity on at least two occasions to implement measures to mitigate the risk and protect the data from a potential breach; firstly when the error with the report functionality including postal address data was identified by the HAS Operations Team on 19 December 2019, and secondly when the identified formatting errorswith the second version of the CSV file sent to the Press Office on 23 December 2019. Action taken by the data controller to mitigate the damage suffered by data subjects 77. The Cabinet Office has undertaken a number of appropriate and effective remedial measures after becoming aware of the data breach as follows: To contain the incident a. Once the data breach was identified the Cabinet Office subsequently removed the link to the file on the content page and contacted GDS to remove the file from cache. 24 ICO. Information Commissioner's Office b. The Cabinet Office's logs show the majority of access to the file occurred in the initial period before the link was removed at 22: 59 and access declined over time until the file was permanently deleted. This demonstrates that the immediate attempts to remove access to the data likely contributed to reducing the level of access after this point. c. The file was accessible from 22: 30 on 27 December 2019 to 00: 51 on 28 December 2019 (two hours and 21 minutes) which is a short duration. It is however noted that the quick identification of the incident was due to a member of the Government Communications Team identifying the data breach by chance. To inform data subjects d. Affected data subjects were contacted within 48 hours of the data breach via email or telephone where possible on 28 and 29 December 2019. Approximately 11 data subjects were not contactable via either method and needed a hard copy letter posted to them. Following this, a hard copy letter was posted to all affected data subjects on 30 December 2019. e. The HAS established a rota to answer recipient queries between 08:e 0-20:e 0 for the two weeks following the data breach. To attempt to mitigate potential and actual damage caused to the data subjects f. 25 ICO. g. After being informed, actions were undertaken by the Police - to assess the risk to the affected data subjects in their area/region/locality. Where additional actions were required, this was taken forward by the relevant Police force - where appropriate. This included a reminder of security advice, data subjects being advised to contact 101 (excluding those who had contacted the HAS with specific issues) and placing additional protective flags at data subjects addresses etc. National Police Coordination Centre circulated a guidance document to all Police forces which could be circulated to individual Honours recipients wanting additional advice. To identify and prevent further dissemination of the personal data 26 ICO. Information Commissioner's Office h. GDS used analytics to ascertain the extent of access to the data and were commissioned by the Cabinet Office to provide advice on further digital tracking and possible mitigation actions. i.Cabinet Office staff monitored social media and arranged for a Twitter post which showed a screenshot of the data to be removed. j. k. Internet monitoring was carried out by Police colleagues for the first week and a half following the breach. Simultaneously, the Government continues to carry out its own monitoring which the ICO were told on 29 January 2020 will "remain for the foreseeable future". "This monitoring tracks instances of the data appearing online and seeks to identify obvious instances of the data being shared". To reduce the likelihood of a similar event occurring in the future I.GDS undertook a full incident review, including a review of checks on the publisher tool and incident handling. This review looked at how the escalation process works, publisher training, and technical changes that could have mitigated impact. This resulted in the caching time frame being reduced from 24 hours to 30 minutes for attached documents. 27 ICO. Information Commissioner's Office m. A number of actions have been undertaken in the Honours system specifically, this includes reviewing the overall security of the system and permission levels, an operational process review, the approvals process, reviewing the desk note of instructions, and creating a new report generated from their database which does not include postal information. Additionally,all employees in the HAS refreshed their Responsible for Information e-Learning after the breach. n. Cabinet Office has confirmed "The report functionality in question has been amended to remove address data so that this does not arise in the future. Approvals processes for use from the (current) Birthday 2020 honours round will include a check to ensure that all documents for publication are checked for personal and sensitive data even when they should not contain it". The Cabinet Office have also provided a document with 16 action points where all except two have either had the work completed or they are currently in the process of doing so. o. The Communications Team were taking action to ensure that anyone who has not recently undertaken training does so as soon as possible. p. An independent review in the Cabinet Office led by Adrian Joseph OBE focusing on data handling policies, processes, practice and culture has been completed (dated March 2020) which includes recommendations for improvement. 28 ICO. Information Commissioner's Office Degree of responsibility 78. The data breach stems from a build error with a newly introduced IT system within the HAS. Specifically, the report which generated the CSV file was incorrectly formulated to include postal address data in error. The original build requirements did not include a postal address field. 79. The Cabinet Office's Digital and Technology team were responsible for building the system: a. The system was implemented under the agile project development process, with development being completed in periods called 'sprints' in which specific elements of the system were built, tested and approved. Required system functionality and any changes needed are articulated in project development software called JIRA which provides the audit trail for development. b. In relation to JIRA, the Cabinet Office said "User stories are defined and put into sprints for development. Each story outlines the requirements with clearly defined acceptance criteria. Stories are developed in a testing environment, then moved into the 'Testing' column where an internal functional test is carried out against the acceptance criteria. Once it has passed this test it moves into 'Product Owner Sign Off' where a member of the business unit checks the story. When the story has passed these checkpoints it moves to 'Done' and is deployed to the production environment. If necessary a training session is carried out with the business unit to walk through the story". 29 ICO. Information Commissioner's Office c. The period of the build between January and June 2019 was completed in two weeklong sprints and once the new IT system was in use from July 2019, the sprints became one month long. d. The agile sprints included the delivery of system training to employees which included training on specific issues and was completed on numerous occasions throughout the year. Members of the Digital and Technology team were simultaneously co-located within the Honours Operations team for two days each week for several months to assist with issues, and all employees involved in this data breach knew how to use and had received training on the report functionality. e. The report functionality went through several tests and iterations before it reflected the correct candidates for the final Honours list. The report was tested by the both the Cabinet Office's Digital and Technology Team and the HAS Operations Team. f. Not all staff in the HAS have access to the system, which is a measure to control access to the material it contains. Only 22 employees have access. 80. Accordingly, there were measures in place regarding the initial building and testing of the system/report. However, the error with the functionality of the report including postal address data was not identified during this process. 81. There were also other measures in place within the Cabinet Office/HAS including: 30 ICO. Information Commissioner's Office a. The Cabinet Office had mandatory data protection training in place prior to the incident, which was primarily comprised of the Civil Service e-Learning course 'Responsible for Information'. This training had been completed by employees in the HAS. Each unit provides a six-monthly Information Assurance return which confirms that employees have completed training. The Cabinet Office said the training is part of induction to [the HAS] and a record is kept of completion. b. There is a data hub on the Cabinet Office's intranet with guidance concerning all elements of the GDPR; information assurance (managing of information risks) including relating to the collection and sharing of personal data; the mandatory training; templates for data processing and privacy notices; and applied examples of best practice. The Cabinet Office said information is drawn to employees' attention via mechanisms such as a short cut to the hub on the intranet front page and staff communications. There are also additional, non mandatory, learning courses about other elements of data handling on Civil Service Learning. 82. However: a. When asked what percentage of Cabinet Office employees had completed the mandatory data protection training in the two years prior to the incident, the Cabinet Office confirmed there are seven modules in the "Responsible for Data" e-Learning which were completed between 3,517 and 4,070 times in the period encompassing the data breach. They were unable to provide a percentage but estimated take up of the training is 31 ICO. Information Commissioner's Office widespread "but could vary between roughly half and most of the staff in the department at any given time". b. Employees in the Press Office and Digital Team, who were also involved in the process of the data being published, had not received data protection training in the last two years. c. There was a 'desk note' of instructions which articulated the process for running the reports which produce the final Honours lists available to employees via Google Drive. However, the desk note reflected the report as it should have been set up. It did notinclude a check to ensure personal data that should not have been present was removed. d. The Cabinet Office said the data hub does not cover redaction of documents to remove personal data and that "Staff in the Secretariat were not explicitly trained on this point, in part because had the report been set up correctly, it should not have been necessary". However, in mitigation to the above they said "However, as part of their wider data training, they were aware that postal address information constituted personal data which should not be disclosed". This is particularly relevant to the data breach, as the employee involved believed that hiding the data in the CSV file involved in the data breach was a sufficient method to remove it. e. There was no specific or written sign-off process in place in the HAS before sending documents containing personal data for release to ensure the content was suitable for publication, even after formatting errors were identified with the second version 32 ICO. Information Commissioner's Office of the CSV file when delivered via email to the Press Office. In relation to the identification of the formatting errors, the Cabinet Office said, "In retrospect, this incident should have then automatically triggered a formal review point to check that the final version was correctly amended". f. As set out above, the error with the report functionality including the postal address data was identified by the HAS Operations team on 19 December 2019 before the data breach occurred, which presented the Cabinet Office with the opportunity to implement measures to sufficiently protect the data and mitigate the risk of it being handled incorrectly in error. The data breach later occurring demonstrates the risk of the postal address data being handled incorrectly was not sufficientlymitigated by appropriate technical and/or organisational measures. If the Cabinet Office had introduced further measures following the identification of the error with the report, they could have reduced the likelihood of the postal address data being disclosed in error. Examples of such measures include: i. Amending the desk note to include robust and prescriptive instructions on the correct method to remove the postal address data in the CSV file generated which was not to be included in the list publication. ii. Implementing a sign-off procedure to check the postal address data had been removed correctly, in accordance with the instructions provided above, before delivering the final version to the Press Office for publication. 33 ICO. Information Commissioner's Office 83. The nature of the publication of the Honours list is and was such that the document may need regular changes, possibly at the last minute. This, coupled with the fact that some of the data on the spreadsheet referred to vulnerable (to reflect the terminology adopted by the Cabinet Office) or high-profile individuals, meant that the security measures involved should, in order to demonstrate effective organisational and technical controls, have been more detailed and taken greater care to address the risks presented in the processing of the data set, including its eventual publication. Any relevant previous infringements 84. No relevant previous infringements have been identified. The degree of cooperation with the Commissioner 85. The Cabinet Office has been cooperative and responsive with the ICO's investigation. In particular: a. The initial Personal Data Breach Report for the data breach was submitted within 72 hours of becoming aware, in line with Article 33 (1) of the GDPR. b. Two conference calls took place between the ICO and the Cabinet Office early-on in the ICO's investigation. c. The Cabinet Office have answered four rounds of written enquiries sent by the ICO albeit some of the responses were not as clear as they might have been. d. The Cabinet Office have been open with the ICO regarding the failures/factors which contributed to the data breach. 34 ICO. Information Commissioner's Office The categories of personal data affected by the infringement 86. The data disclosed was location data (i.e. postal addresses). Some of the data affected was already in the public domain. However, numerous postal addresses which were not in the public domain were made public by the data breach. There were 207 such entries with addresses - which is not an insubstantial amount. The manner in which the infringement became known to the Commissioner 87. The infringement became known to the Commissioner as a result of the Cabinet Office submitting a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the data breach in accordance with Article 33(1) of the GDPR. Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures 88. Not applicable. Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 89. Not applicable. Aggravating and mitigating factors 35 ICO. Information Commissioner's Office 90. Beyond the matters referred to above there were no other significant factors that aggravate or mitigate the infringement. Deterrent Effect 91. The Cabinet Office is a long-established organisation at the heart of government that processes a variety of data across a range of activities. It has the standing, access to resource and expertise, and sophistication to provide a high standard of organisational and technical measures in comparison to, for example, a small private sector organisation or a small public authority. Organisations that have the means to do so, are expected to take the most stringent possible preventative measures. The Cabinet Office would have incurred very little, if any, cost in implementing a procedure that could have prevented the data breach. 92. Further, the honours list is an annual process involving high profile and vulnerable individuals. The Cabinet Office should have been more aware of the need for strong security arrangements. Following an external review initiated by the Cabinet Office, cultural challenges were identified in regard to data protection requirements. 93. For the avoidance of doubt, the Cabinet Office has not been held to a higher standard than another like controller, merely a high standard in relation to an important and high-profile processing activity undertaken by it. The Cabinet Office has the standing, access to resource and expertise, and sophistication to provide a high standard of organisational and technical measures. The penalty reflects the Cabinet Office's breach when considered in that context, albeit some reduction has been made to the penalty to reflect the Cabinet Office's representations with regard to deterrent effect. 36 ICO. Information Commissioner's Office Reducing the amount to reflect anymitigating factors, including ability to pay 94. The Commissioner is not aware of any financial hardships or factors that would reduce the Cabinet Office's ability to pay. Whilst the Response to the Notice of Intent refers to the current strain on public finances including as a result of the Covid-19 pandemic, no specific figures or details were provided in relation to the extent of any such strain or hardship on the Cabinet Office. Nor does the Commissioner consider there are any other factors that should lead to a reduction in the penalty amount. 95. The spending and budget of the Cabinet Office was previously understood to be in excess of £1 billion in 2019/20. However, in the Response to the Notice of Intent, the Cabinet Office stated that the appropriate budget amount was £381 million. The Commissioner accepts that £381 million is the appropriate budget figure. For the avoidance of doubt, the Cabinet Office's spending/budget has not been used in any sort of mechanistic fashion to determine the penalty amount. Rather it was considered that the Cabinet Office is of sufficient size to be able to withstand the proposed penalty. This position holds true even on the basis of the Cabinet Office's budget being £381 million. 96. Taking into account all of the above, the Commissioner is of the view that a penalty in the sum of £500,000 is effective, proportionate and dissuasive. Summary and decided penalty 97. For the reasons set out above, the Commissioner has decided to impose a financial penalty on the Cabinet Office. 37 ICO. Information Commissioner's Office 98. Taking into account all of the factors set out above, the Commissioner has decided to impose a penalty in the amount of £500,000 (five hundred thousand pounds). Payment of the penalty 99. The penalty must be paid to the Commissioner's office by BACS transfer or cheque by 14 December 2021 at the latest. The penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 100. There is a right of appeal to the First-tier Tribunal (Information Rights) against: (a) the imposition of the monetary penalty and/or; (b) the amount of the penalty specified in the monetary penalty notice. 101. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 102. Information about appeals is set out in Annex 1. 103. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; 38 ICO. Information Commissioner's Office • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and • period for appealing against the monetary penalty and any variation of it has expired. 104. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 15th day of November 2021 Elizabeth Denham Information Commissioner Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 39 ICO. Information Commissioner's Office ANNEX 1 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(S) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:e a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ Telephone: 0203 936 8963 Email: grc@justice.gov.uk 40 ICO. Information Commissioner's Office a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:e a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 41 ICO. Information Commissioner's Office 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in section 55B(S) of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 42