The UK Information Commissioner (ICO) has come to an agreement with the Cabinet Office to reduce a fine imposed on the Cabinet Office in 2021 in relation to the New Year Honours data breach. The original £500,000 ($574,000) Monetary Penalty Notice (MPN) is to be reduced to £50,000 ($57,000).
The ICO issued its fine to the Cabinet Office on November 15, 2021, after a data breach in 2019 where the Cabinet Office published a file on gov.uk with the names and addresses of more than 1,000 people who were announced in the New Year Honours list. The file was available online for two hours and 21 minutes, and was read 3,872 times.
“Wholly disproportionate”
The Cabinet Office appealed against the £500,000 fine to the First-tier Tribunal (General Regulatory Chamber) in December 2021, arguing that the level of penalty was “wholly disproportionate” in relation to the imposition of the penalty.
“The ICO is a pragmatic, proportionate and effective regulator, focusing on making a difference to people’s lives. While I consider the original fine was proportionate in all the circumstances of this case due to the potential impact on the people affected by the breach, I recognise the current economic pressures public bodies are facing, and the fact that in certain cases fines may be less critical in achieving deterrence,” said John Edwards, UK Information Commissioner.
Both parties have agreed on the new £50,000 agreement, which has also been approved by the Tribunal. Otherwise, the Cabinet Office’s appeal before the Tribunal is dismissed and the hearing listed before the Tribunal on 4 November has been vacated.
“We welcome the agreement reached with the Cabinet Office and we will continue to work with them to ensure people’s information are being looked after”, said John Edwards.
Public approach
The reduced fine is in line with the ICO’s updated approach to work more effectively with public authorities. The work was outlined earlier in June in an open letter from Edwards to public authorities. With this strategic approach, which will be trialled for two years, the ICO is hoping to shape better engagement with the public sector, to share good practices and publish cases of data breach, connected with reduced fines.
“Since the fine was issued last year, I have adopted a new approach to working more effectively with public authorities to raise data protection standards. As I have explained, in certain circumstances large fines on their own may not be as effective a deterrent within the public sector. I am willing to use my discretion to reduce the amount of fines on the public sector in appropriate cases, coupled with better engagement including publicising lessons learned and sharing good practice,” said Edwards.
This penalty was issued under the Data Protection Act 2018 (DPA 2018) for infringements of the GDPR.