The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for a data leak in 2020 that exposed the full names and addresses of the New Year Honours recipients on its web page.
More than 1,000 people were affected by the leak, with notable inclusions such as Sir Elton John, Dame Olivia Newton-John, and Sir Iain Duncan Smith.
gunnercooke Data Protection, Public law & Procurement partner, Tim Heywood, looks at how the failure to mitigate basic data risks can have significant consequences for your organisation. He also looks at the importance of conducting a GAP Analysis to avoid a similar occurrence.
“This time last year, the Cabinet Office made some basic administrative and technical errors which have resulted in a significant ICO fine.
“1,000 people having their names and corresponding addresses posted online is precisely the sort of personal data sharing that compromises individual’s safety and security and increases the risk of being exposed to identity fraud.
“In this case, Cabinet Office employees were reportedly under pressure and attempted a “quick fix” for an IT issue instead of testing thoroughly and ensuring the system was fit for purpose.
“There were reportedly no specific or written processes in place at the time to ensure the proper sign- off or authorisation prior to the publication of content containing personal data.
“The Cabinet Office did apparently act swiftly once the breach became apparent and undertook a full incident review which included looking at system security, implementing information management training and improving internal processes for data handling.
“However, this is a little like closing the stable door after the horse has bolted. The incident raises legitimate questions about the privacy practices of other government departments and agencies.
“When data breaches occur, it’s rare to find that human error isn’t the main factor, and that simple checks and balances could have resulted in a far better outcome.
“Focussed and incremental operational and technical improvements are often required in order to achieve compliance with data protection laws.
“It’s why we offer a detailed UK GDPR GAP analysis (otherwise known as a data protection audit) for numerous organisations every year.
“The resulting recommendations can usually be implemented quickly and easily.
“We determine the breadth and strength of your policies and procedures relating to the processing of personal data, and crucially, whether they have been implemented effectively and are being followed.
“The adequacy of controls in place are stress tested and the GAP analysis informs what changes or improvements might be necessary to ensure your data privacy framework is robust but agile enough to adapt to changing operational and legislative factors.
“When things do go wrong, we also have significant experience in handling data breaches and engaging with the ICO, including representing central government departments and agencies.”
You can also view our full Data Protection and GDPR GAP analysis proposition here.