This article was written by James Downes and Julian Chan-Diaz.
On Boxing Day, the Cabinet Office accidently published a downloadable Honours List file on its website, containing the addresses of 1097 people; some of whom were prominent public figures. This is the kind of Christmas giving which current data protection law does not permit. Once the leak became apparent it was quickly retracted by the Cabinet Office on the same day, but it nonetheless constituted an embarrassing disclosure by the civil service and one that has serious data protection implications, as well as also potentially giving rise to claims for misuse of private information.
As is now well-known by many businesses operating both in the UK and within the EU, the safeguarding and transfer of personal data is now subject to the General Data Protection Regulation (“GDPR”) introduced on 25 May 2018. Compliance is mandatory for all those operating within EU member states and failure to comply can result in steep fines (GDPR is set to remain UK law after Brexit).
Under Article 33 any organisation (or ‘data controller’) which becomes aware of a data breach is under a duty to notify their national supervisory authority within 72 hours. In the UK, the supervisory authority is the Information Commissioner’s Office (the “ICO”). The ICO both monitors compliance and enforces the requirements of GDPR amongst other data protection legislation. It is understood that the Cabinet Office immediately reported the breach to the ICO as required by Article 33 which helps to reduce the severity of any penalty which might be imposed.
In assessing the level of fine (if any), the ICO will consider under Article 83(2) a number of factors such as the gravity of the breach and the number of individuals or ‘data subjects’ affected. Depending on the adequacy of the Cabinet Office’s data protection measures, it is as yet unclear whether the ICO will impose fines or simply issue a warning notice. Under Articles 79 and 82, data subjects are also entitled to sue the Cabinet Office, (i.e. the state) for the breach of their data in their individual capacities. To bring a claim, the individuals need to show they have suffered either material or non-material damage as a consequence of the data breach. Section 168(1) of the Data Protection Act 2018 which supplements GDPR has confirmed that non-material damage includes distress which would be the most likely form of damaged suffered by the individuals in this instance. However, recent case law, as shown in the Court of Appeal case of Richard Lloyd v Google LLC  means that mere breach of data protection law may also entitle individuals to compensation on the basis they have lost control of their data (the case was brought under the former Data Protection Act 1998 but the principles remain the same). Again, it is still unclear whether any of the 1097 individuals will take legal action.
In addition, the individuals will also have claims for misuse of private information on the basis that they have a reasonable expectation of privacy that their addresses will not be disclosed or published (and there can be no defence to the acts). Indeed, a number of individuals have historically complained to the press regulator, IPSO, on the basis of much less information being published but which has led to the home addresses being (arguably) identifiable.