Major data breach in New Year’s Honours – what are the consequences?

Over 1000 addresses leaked

The publication of this year’s New Year’s Honours list was accompanied by an embarrassing data breach in which the personal addresses of over 1,000 high profile individuals were published by the Cabinet Office. The list was uploaded to an official website on Friday evening and was removed on Sunday; the data published included a spreadsheet containing the full addresses, including postcodes, of the honours recipients.

This serious breach of the General Data Protection Regulation (GDPR) will need to be investigated by the Information Commissioners Office (ICO), and given the high profile of the individuals involved, it is likely the Cabinet Office will face significant criticism and potential claims by the individuals involved.

Civil claims in the UK

There has not yet been a successful civil claim in the UK where a significant compensation award has been made to a victim of a data breach under the GPDR rules. However, Article 82 of the regulation provides for compensation where individuals have suffered harm as a result of a data breach.

More questions about GDPR? Take a look at our GDPR Survival Guide.

Given the personal nature of the data disclosed, which may pose a risk to the right to private and family life of the individuals (protected by Article 8 of the European Convention of Human Rights and the Human Rights Act 1998). it is likely that some celebrities will take civil action in respect of the breach, which may create a precedent for claims in the courts.

This leak was unfortunate, given the context and these prestigious awards; it is a sharp reminder that serious care needs to be exercised when processing individuals’ information. It remains to be seen what the ICO’s investigations will recommend and whether it will issue a fine for this particular breach, something it has not done often since the implementation of the GDPR; their first fine has recently been issued.

If you have been the victim of a data breach and have lost personal information, please contact Steven Murray on 01242 246 494 or at [email protected] for advice and guidance.