Cabinet Office – €585,000 Fine (United Kingdom, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK Cabinet Office accidentally published a file online that included the addresses of people honored in the New Year's 2020 Honours List. This mistake happened because the file wasn't properly edited to remove personal information. The incident highlights the importance of careful data handling to protect people's privacy.
What happened
The Cabinet Office published a CSV file containing the postal addresses of Honours recipients without properly removing personal data.
Who was affected
Honours recipients whose postal addresses were included in the publicly accessible CSV file.
What the authority found
The Information Commissioner's Office found that the Cabinet Office failed to adequately protect personal data, violating GDPR's security requirements.
Why this matters
This case shows that government bodies must take data protection seriously, just like private companies. It serves as a reminder for all organizations to ensure personal data is properly handled and secured before publication.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 27 December 2019, the UK Cabinet Office (department of the Government of the United Kingdom) published the content page of the New Years 2020 Honours List on its website. The content page contained a link to a CSV file version of the Honours list that was not adequately edited to remove personal data. The CSV file contained the postal address of Honours recipients in a column that had been “hidden” rather than completely “deleted” from the CSV file. Despite the various steps taken before publishing the CSV file, no one within the Cabinet Office teams working on the Honours List noticed that the column was only “hidden”. The column was still there and became apparent again once the CSV file was made available online on gov.uk. The Cabinet Office was alerted of the data breach by a member of the Government Communications Team. The Cabinet Office then republished the content page without the link to the CSV file. However, anyone who had the exact URL to the CSV file already could still access it despite this change. This is because documents cannot be removed from the gov.uk website once they have been published. The issue was escalated and eventually the CSV file was permanently deleted around 2 hours and 30 minutes after it was first made available. It was found that the CSV file was accessed 3872 times from 2798 IP addresses. The Cabinet Office alerted affected data subjects within 48 hours of the data breach and submitted a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the breach. The Cabinet Office confirmed there was no written process in place to approve documents containing personal data prior to being published to ensure the content was suitably redacted. Additionally, the Cabinet Office’s page for best practice on data handling had not been updated for six months despite the implementation of a new software used to produce the Honours List (which contained a column for addresses). There were various other security concerns id
Related Enforcement Actions (0)
No other enforcement actions found for Cabinet Office in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
15 November 2021
Authority
Information Commissioner's Office
Fine Amount
€585,000
500,000 GBP
Enforcement Tracker ID
ETid-930
GDPRhub ID
gdprhub-4410About this data
Cite as: Cookie Fines. Cabinet Office - United Kingdom (2021). Retrieved from cookiefines.eu
Last updated: