Latest News | News

New Year Honours List GDPR Breach

On the 26th December at 10:30pm the Cabinet Office published the New Year Honours list as it does every year. However, this time, alongside the names of the recipients, many of their home addresses were also published. The list was downloadable for about an hour before being taken down early the following day.

The New Year Honours list of over 1000 recipients includes several Ministry of Defence employees and senior counter-terrorism officers, as well as other high-profile individuals including Sir Elton John, cricketer Ben Stokes, celebrity chef Ainsley Harriott, and Olivia Newton John. Most of the entries in the list had their personal addresses listed alongside their names and awards when initially uploaded.

As this constitutes a breach of Data Protection Regulations, the Information Commissioner’s Office (ICO) has said it will be making inquiries into the breach. Under Article 83(2) of GDPR, which outlines the general conditions for imposing administrative fines, the ICO’s investigation will be contingent on several factors including:

  • The nature, gravity and duration of the infringement
  • Intentional or negligent character of the infringement
  • The number of data subjects affected, and the level of damage suffered
  • Any action taken by the controller or processor to mitigate the infringement and mitigate the possible adverse effects
  • The manner in which the infringement became known to the ICO

While the Cabinet Office acted swiftly to remove the list and reported the breach itself to the ICO, it is unclear to what extent the individuals affected will suffer damages. There are several people on the list who are employed in sensitive or high-profile positions, whose privacy is of critical importance. The Cabinet Office has reached out to those affected to provide them guidance in relation to any security concerns.

Due to the Cabinet Office’s swift response, it may be that the ICO will only exercise a warning. However, even if the ICO does not issue a fine, the individuals affected by the breach could sue in civil courts for compensation for both material and non-material damage suffered.

The ICO has only levied a few fines under GDPR thus far, so this case may provide an interesting examination of how the ICO intends to respond to GDPR breaches going forward.

For any further guidance or information on this matter, please do not hesitate to contact Piers Larbey.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.