weerapat1003 - stock.adobe.com

Cabinet Office launches data handling review

Oliver Dowden issues statement explaining the New Year Honours list leak and announces new practices after the publication of personal details of over 1,000 public figures

The Cabinet Office has issued a statement around its investigations into the government leak of personal data of several hundred prominent figures in the 2020 new year honours list, and announced a review of data handling practices.

According to minister Oliver Dowden, the exposure of work and home addresses of 1,097 recipients was “a result of human error”, originating in the Honours and Appointments Secretariat, responsible for managing and publishing the honours lists.

The error led to the publication of addresses of various public figures including musician Elton John, the chief executive at NHS and the former work and pensions secretary Iain Duncan Smith, who told the Sunday Times the occurrence was a “complete disaster”.

Dowden also cited that a new IT system was also used for the first time to handle the task, from which a report was downloaded to create a file for publication.

According to the minister, address data had been previously identified as a risk and previous versions of that file for publication did not include address data, but towards the end of the checking process prior to releasing the names online, a version of the file with the sensitive information was accidentally published.

Changes have been made to the IT system used to generate the reports around the honours list as a result of the accident to ensure it only generates data that can be published, thus reducing the possibility of human error. The error was reported to the Information Commissioner’s Office the day after the leak happened.

In addition, Dowden announced a review of data handling practices inside the Cabinet Office, focusing on process, culture, policy and practice within the department. “[The review] will establish whether appropriate controls are in place around the storage, sharing and deletion of personal data, including learning lessons from this case,” the minister noted in the statement.

Read more about data privacy

In the update, the minister described the timeline of the blunder, which started with the publication of the honours list on Friday 27 December 2019 at 22:30. It took half an hour until the team was made aware of the publication of addresses of the recipients.

The link was removed from the Cabinet Office web page at 23:10, and it tool a further 150 minutes to close the link to the document and remove the page altogether, according to the statement. Meanwhile, those who opened the link or had the web page address could still open the document.

As well as taking the necessary measures alongside the Police to identify and handle potentially high-risk cases, Dowden said the Cabinet Office also worked with relevant organisations to understand the extent of the access to the data and concluded “there is no information to suggest an increased risk in relation to any persons as a result of this data breach”.

Read more on IT for government and public sector

Data Center
Data Management