The UK government has breached European Union data laws by inadvertently posting online the private addresses of more than 1000 people awarded New Year’s honours. Addresses that were meant to be redacted were published in a file containing the names of those announced in the Queen’s New Year’s honours list on 27th December. The file was online for several hours overnight before being removed.
Those affected included celebrities such as Elton John, as well as high ranking Police officers and others who have served in MI5, the UK security service.
It seems that this was an accidental breach of the General Data Protection Regulation (GDPR), which was quickly corrected as soon as it was brought to the attention of the Cabinet Office.A Cabinet Office spokesperson informed News Agenciesthat the unredacted list containing the addresses was published “in error”, and that the information was removed “as soon as possible”. “We apologise to all those affected and are looking into how this happened. We have reported the matter to the Information Commissioner’s Office and are contacting all those affected directly.
What happens next?
The ICO said it will be making enquiries into how the data was published, although experts are unsure whether the body is likely to take action – or what level of fine it might issue. The New Year’s Honours List has been published on-line over many previous years without such serious error, so the ICO will be seeking to learn the cause of the mistake, without necessarily imposing a fine.
However, the Cabinet Office will be embarrassed and its’ reputation for maintaining information security will have been undermined. Moreover, this does not preclude an Honours recipient from taking action against the Government for disclosing their Personally Identifiable Information.
The Cabinet Office declined to answer questions about how the breach happened, and whether the error would change the government’s current policy to proactively publish data as part of the open data initiative. But a weak or lax response by the ICO to a serious government department breach is unlikely to be persuasive of the UK’s strength of protection for rights and freedoms.
One concern is that the incident could lead to the government pulling back on data publication to avoid further mistakes, which would be a potential blow to transparency. The Government need sufficiently competent resources in place in order to ensure that such incidents do not reoccur and that both they and the General Public can keep faith with the Government’s ability to manage and publish data.