The Cabinet Office has been fined half a million pounds for mistakenly publishing addresses of New Year Honours recipients – including Sir Elton John and senior police officers.
At the end of 2019, a file containing the names and full postal addresses of more than 1,000 people due to receive an honour in 2020 was uploaded to an official website.
They included the addresses of Sir Elton John, cricketer Ben Stokes, senior Tory Iain Duncan Smith, TV chefs Nadiya Hussain and Ainsley Harriot, broadcaster Gabby Logan, Grease actress Olivia Newton-John and former director of public prosecutions Alison Saunders.
The file, which could be downloaded, appeared on the government’s website at 10.30pm on Friday 27 December 2019 and was removed 2 hours 21 minutes later.
It was accessed 3,872 times from 2,798 unique IP addresses, mostly within the first 29 minutes it had been published.
The incident was reported to the Information Commissioner’s Office (ICO) and the government apologised and contacted all those affected.
Cabinet Office staff then had to work 12-hour days for two weeks specifically answering queries from the people whose addresses they had leaked.
Sir Elton John spotted with walking stick in public for first time as he’s handed royal award from Prince Charles
Adele website ‘crashes’ as singer announces BST Hyde Park London shows for 2022 – which will be her first in five years
Sir Elton John becomes first artist to secure a top 10 UK single across six different decades
The police also had to monitor the internet for the first 10 days and some forces decided people on the list in their areas needed extra help to protect them.
Publishing its ruling on Thursday, the ICO said it found the Cabinet Office “failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information”.
“This is a breach of protection law,” it said.
The ICO initially planned to fine the Cabinet Office £600,000 but after the department said it had apologised, most of the addresses were already readily accessible, and it has taken action to rectify faults, the fine was lowered to £500,000 – payable by 14 December.
The money will go into the government’s general bank account at the Bank of England.
During its investigation, the ICO found the list had been scheduled to be automatically published by the Cabinet Office.
The error was discovered “by chance” by a member of the government’s communications team 29 minutes after it was published so the Cabinet Office republished the page, removing the link to the file.
However, they did not realise that files uploaded to the government website are automatically cached so the file was still accessible to those who had the exact webpage URL.
Just over an hour after the files were published, the Cabinet Office contacted Government Digital Service to ask for help to remove the file as the ICO said the team can edit pages and remove links but cannot remove documents once they have been published.
The ICO said a developer had to be contacted to permanently delete the file, which eventually happened at 00.51 on 28 December 2019.
All the people whose addresses were published were contacted within 48 hours via email or telephone, however, 11 people were not contactable via those methods so a hard copy was posted to them on 30 December.
The ICO’s investigation found the list made it through three drafts but on the second draft an employee “not usually responsible for the process” saw the addresses were visible so hid them but did not delete them.
When the final report was sent to the press office, they were notified that the “previous issue had been resolved” and the press office did not open the final file before publishing because “they relied upon reassurance…that the document was the final version”.
Lack of staff, money and expertise as well as projects being rolled out too quickly were cited by a number of government teams as to why the software had not been sufficiently tested before it was rolled out.
The Cabinet Office admitted staff in the press office and digital team had not received data protection training for the two years before the breach.