Cabinet Office – €585,000 Fine (United Kingdom, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK Cabinet Office was fined EUR 585,000 for accidentally publishing a file that exposed personal addresses of Honours recipients. The file was not properly edited to remove sensitive information before being made public. This incident stresses the importance of careful data handling and review processes.
What happened
The Cabinet Office published a CSV file containing hidden personal addresses of Honours recipients on its website.
Who was affected
Honours recipients whose postal addresses were exposed in the CSV file were affected.
What the authority found
The authority found that the Cabinet Office failed to adequately protect personal data before publishing it online.
Why this matters
This case serves as a critical reminder for government and organizations to implement strict data handling procedures. It shows that even well-intentioned actions can lead to serious privacy breaches if proper checks are not in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 27 December 2019, the UK Cabinet Office (department of the Government of the United Kingdom) published the content page of the New Years 2020 Honours List on its website. The content page contained a link to a CSV file version of the Honours list that was not adequately edited to remove personal data. The CSV file contained the postal address of Honours recipients in a column that had been “hidden” rather than completely “deleted” from the CSV file. Despite the various steps taken before publishing the CSV file, no one within the Cabinet Office teams working on the Honours List noticed that the column was only “hidden”. The column was still there and became apparent again once the CSV file was made available online on gov.uk. The Cabinet Office was alerted of the data breach by a member of the Government Communications Team. The Cabinet Office then republished the content page without the link to the CSV file. However, anyone who had the exact URL to the CSV file already could still access it despite this change. This is because documents cannot be removed from the gov.uk website once they have been published. The issue was escalated and eventually the CSV file was permanently deleted around 2 hours and 30 minutes after it was first made available. It was found that the CSV file was accessed 3872 times from 2798 IP addresses. The Cabinet Office alerted affected data subjects within 48 hours of the data breach and submitted a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the breach. The Cabinet Office confirmed there was no written process in place to approve documents containing personal data prior to being published to ensure the content was suitably redacted. Additionally, the Cabinet Office’s page for best practice on data handling had not been updated for six months despite the implementation of a new software used to produce the Honours List (which contained a column for addresses). There were various other security concerns id
Related Enforcement Actions (1)
Other enforcement actions involving Cabinet Office in UK
Details
Fine Date
15 November 2021
Authority
Information Commissioner's Office
Fine Amount
€585,000
500,000 GBP
GDPRhub ID
gdprhub-4410About this data
Cite as: Cookie Fines. Cabinet Office - United Kingdom (2021). Retrieved from cookiefines.eu
Last updated: