ICO and Cabinet Office reach agreement on revised data breach fine

The ICO issued its fine to the Cabinet Office on 15 November last year, following an investigation into the 2019 data breach, whereby the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 individuals announced in the New Year Honours list. The personal data was available online for a period of two hours and 21 minutes and accessed 3,872 times.

The Cabinet Office appealed against the amount of the fine to the First-Tier Tribunal (ie the General Regulatory Chamber) in December 2021, alleging that the level of penalty was “wholly disproportionate”. The appeal related solely to the amount of the fine. The facts leading up to the imposition of the penalty were not in dispute.

Under the agreement reached between the parties, which has been approved by the First-Tier Tribunal, the Information Commissioner has agreed to a reduction in the amount of the fine to £50,000. Otherwise, the Cabinet Office’s appeal before the First-Tier Tribunal is dismissed and the hearing listed before the First-Tier Tribunal on 4 November has been vacated.

Pragmatic and proportionate

Information Commissioner John Edwards commented: “The ICO is a pragmatic, proportionate and effective regulator, focusing on making a difference to people’s lives. While I consider the original fine was proportionate in all the circumstances of this case due to the potential impact on the individuals affected by the breach, I recognise the current economic pressures public bodies are facing and also the fact that, in certain cases, fines may be less critical in achieving deterrence.”

Edwards concluded: “We welcome the agreement reached with the Cabinet Office and will continue to work with the department to ensure people’s information is being looked after.”

The new approach to working more effectively with public bodies is all about raising data protection standards. “As I have explained,” concluded Edwards, “in certain circumstances large fines on their own may not be as effective a deterrent within the public sector. I’m willing to use my discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice.”

Specific responsibilities

The ICO harbours specific responsibilities as set out in the Data Protection Act 2018, the UK General Data Protection Regulation, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Privacy and Electronic Communications Regulations 2003.

Further, the ICO has a number of powers with which to encourage and enforce adherence to the relevant legislation. These include issuing reprimands, ordering organisations to process data differently or stop processing altogether, ordering audits of structures or policies, banning them from holding data and imposing a civil monetary penalty of up to 4% of global turnover.

The penalty in this case was issued under the Data Protection Act 2018 for infringements of the General Data Protection Regulation.

Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England. It is not kept by the ICO.