The Cabinet Office has been criticised for a “farcical and inexcusable mistake” after the home addresses of celebrities, military figures and elderly people named in the New Year Honours list were inadvertently posted online.
The Information Commissioner’s Office (ICO) is investigating the alleged data breach after details relating to the vast majority of the 1,097 recipients could be viewed online from 11pm on Friday, shortly after news of their honours went public.
The details were removed around an hour after the accidental disclosure.
Basic grip on data protection
The Cabinet Office apologised, said it was contacting those affected, and had referred itself to the regulator.
Silkie Carlo, director of privacy campaign group Big Brother Watch, said: “It’s extremely worrying to see that the Government doesn’t have a basic grip on data protection, and that people receiving some of the highest honours have been put at risk because of this.
“It’s a farcical and inexcusable mistake, especially given the new Data Protection Act passed by the Government last year – it clearly can’t stick by its rules.”
The list saw awards given to members of England’s World Cup winning cricket team, performers such as Sir Elton John and Grease star Olivia Newton-John, as well as former Conservative Party leader Iain Duncan Smith.
Alison Saunders, the former director of public prosecutions, was also among the honours recipients, alongside 94-year-old D-Day veteran Harry Billinge, and 13-year-old schoolboy Ibrahim Yousaf.
The list also included senior diplomats, counter-terror police and figures from the military.
A Cabinet Office spokesman said: “A version of the New Year Honours 2020 list was published in error which contained recipients’ addresses.
“The information was removed as soon as possible.
“We apologise to all those affected and are looking into how this happened.
“We have reported the matter to the ICO (Information Commissioner’s Office) and are contacting all those affected directly.”
Only six people honoured for services to defence were left off the list, according to the BBC.
The ICO, which has the power to fine organisations for data breaches, said it was investigating.
The introduction of General Data Protection Regulation (GDPR) rules in May 2018 increased the penalties regulators such as the ICO are able to introduce.
It means breaches can result in the ICO issuing penalties equivalent of up to 4 per cent of annual global turnover or £17 million – whichever is greater.
Previously, the largest penalty the ICO meted out was to Facebook when it was fined £500,000 – the maximum allowed at the time – for failing to protect users’ personal data.
But in July, the ICO announced its intention to fine British Airways £183 million for its own data breach, which will become the largest penalty ever issued by the regulator once the process is completed.
The ICO later handed out an intention to fine the hotel chain Marriott International £99 million after it admitted the guest records of around 339 million people had been accessed.
“It is not ideal, but what is done is done”
Hackney councillor and charity pioneer Mete Coban, who was handed an MBE for services to young people, told the PA news agency: “If those responsible have apologised and it is a genuine error, then there is not much more that can be done.
“I understand why others are concerned, but most of my details are online because of the council work anyway.
“It is not ideal, but what is done is done.”