Cabinet Office – €585,000 Fine (United Kingdom, 2021)

€585,000Information Commissioner's Office25 November 2021United Kingdom
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The UK Cabinet Office accidentally published a file online that revealed the addresses of people honored in the New Year’s 2020 Honours List. This mistake happened because a column in the file was only hidden, not deleted, allowing anyone with the link to access it. The incident highlights the importance of properly managing personal data before making it public.

What happened

The Cabinet Office published a CSV file online that contained hidden personal addresses of Honours recipients.

Who was affected

People who received honors and had their postal addresses exposed in the published file.

What the authority found

The Information Commissioner's Office found that the Cabinet Office failed to adequately protect personal data, violating GDPR's requirements for data security.

Why this matters

This case shows that government bodies must ensure personal data is properly handled before publication. Other organizations should review their data management practices to avoid similar breaches.

GDPR Articles Cited

AI-verified

Art. 32(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1) f) GDPR
Art. 32(GDPR)

Original data from scraper before AI verification against source document.

Source verified 10 March 2026
amount discrepancy
United Kingdom enforcementInformation Commissioner's Office actionsAll Cabinet Office actions
Full Legal Summary
Detailed

The UK DPA (ICO) has fined the Cabinet Office EUR 585,000. On December 27, 2019, the Cabinet Office published a file on GOV.UK containing the names and uncensored addresses of more than 1,000 individuals who had received New Year's honors. Individuals from a wide range of professions across the United Kingdom were affected, including individuals with a high public profile. After learning of the data breach, the Cabinet Office removed the web link to the file. However, the file was still in the cache and was accessible online to people who had the exact website address. The disclosed personal data was available online for two hours and 21 minutes and had been accessed 3,872 times. The breach occurred due to an error in the setup of the Cabinet Office's new IT system. The ICO found that the Cabinet Office failed to take appropriate technical and organizational measures to ensure a level of protection appropriate with the risk to data subjects.

Related Enforcement Actions (1)

Other enforcement actions involving Cabinet Office in UK

Fine
Nov 2021· Information Commissioner's Office

On 27 December 2019, the UK Cabinet Office (department of the Government of the United Kingdom) published the content page of the New Years 2020 Honou...

€585K
Current
Nov 2021

Fine

€585K

Details

Fine Date

25 November 2021

Authority

Information Commissioner's Office

Fine Amount

€585,000

Enforcement Tracker ID

ETid-930

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Cabinet Office - United Kingdom (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: