The UK government may have breached the European Union General Data Protection Regulation (GDPR) by posting the private addresses of more than 1000 individuals online. While it is currently unclear whether and how much the government is likely to be fined for the breach, there are concerns that the error could lead to measures that hamper government transparency.
Addresses that were meant to be redacted were published in a file containing the names of those announced in the Queen’s New Year’s honours list on 27 December. The file was online for several hours overnight before being removed.
Those affected included celebrities such as Elton John, as well as officers who have served in MI5, the UK security service.
The unintended data leak could be a breach of the GDPR, which requires organisations to process data securely.
“It’s unquestionably a serious incident,” says Tim Turner, a data protection consultant in Manchester, UK. “Home addresses aren’t always sensitive information, but it depends on who you are.”
A Cabinet Office spokesperson told New Scientist the unredacted list containing the addresses was published “in error”, and that the information was removed “as soon as possible”.
“We apologise to all those affected and are looking into how this happened. We have reported the matter to the Information Commissioner’s Office and are contacting all those affected directly.”
The ICO said it will be making enquiries into how the data was published, although experts are unsure whether the ICO is likely to take action – or what level of fine it might issue.
“This incident clearly calls into question the Cabinet Office’s procedures for handling personal data and I think the repercussions could be quite significant irrespective of whether or not the ICO decide to issue a monetary penalty notice,” says Craig Clark, data protection officer at the University of East London.
Others are less sure. “It’s a lapse, rather than showing malice or systemic failure, and was pretty quickly corrected,” says Lilian Edwards of Newcastle University, UK. “I’d imagine the ICO have more pressing matters for fines or prosecution.”
“Whether this leads to a fine depends on whether [the Cabinet Office] can somehow say they did everything they could and an accident occurred that could not have been prevented,” says Turner. However, previous incidents of accidental publication have led to data protection fines before, including for councils and hospital trusts.
More likely – and more costly – is court action against the Cabinet Office from one of the celebrities given an honour, according to Clark.
The ICO’s response to the incident will be carefully watched by the European Union, which is undertaking Brexit negotiations, says Rowenna Fielding at data protection consultants Protecture. “A weak or lax response to a serious government department breach is unlikely to be persuasive of the UK’s strength of protection for rights and freedoms,” she says.
The Cabinet Office declined to answer questions about how the breach happened, and whether the error would change the government’s current policy to proactively publish data as part of the open data initiative.
One concern is that the incident could lead to the government pulling back on data publication to avoid further mistakes, a potential blow to transparency.
“If government decision-makers don’t feel the necessary resources and competence are available to manage data appropriately, they may indeed take that position,” says Fielding.
More on these topics: