On Friday 27 December 2019 at 22:30, the Cabinet Office published the New Year Honours List 2020 on www.gov.uk. As part of this publication a version of the honours list was published online which contained address details of the 1,097 recipients. This was done in error. The document was accessible for approximately 40 minutes, and was available to those who had already accessed the information for a further 150 minutes via the original web link.
This incident was a result of human error. The Honours and Appointments Secretariat is responsible for managing and publishing the Honours lists. The New Year 2020 honours round was the first to use a new IT system from which a report was downloaded to create a file for publication.
The sensitivities around address data had been identified as a risk and previous versions of the file prepared for publication had not included address data. As part of the final checking process, further amendments were made to the file and a version of the file, including address data, was mistakenly sent for publication.
The team was made aware of the error at 23:00 on 27 December and the link was removed from the Cabinet Office web page within 10 minutes. It took a further 150 minutes to close the link to the document and remove the page altogether. In this intervening period those who opened the link or had the web page address could still open the document.
The immediate concern following the publication of this information was to ensure that there was no increased risk to any individuals and that their security was being appropriately managed. The Cabinet Office worked with the police and relevant authorities to identify any potentially high risk cases and put in place any necessary actions. Over 48 hours, the Department made contact with all affected individuals to inform them of what had taken place, provide contact details and to apologise for this incident. Chief Constables were briefed through the National Police Chiefs’ Council, and local forces made assessments for all recipients.
The Department has worked with the relevant organisations to ascertain the extent of the access to the data. We have no evidence that data has been exploited by a third party, or shared more widely though we continue to be vigilant.
The Government have been informed by the police and other agencies that there is no information to suggest an increased risk in relation to any persons as a result of this data breach. This is not to underestimate the concern this incident may have caused for individuals. On behalf of the Cabinet Office I apologise unreservedly for any distress or inconvenience caused.
Appropriate management action will be taken in response to this incident. Changes have already been made to ensure the relevant IT system generates reports containing only data that is suitable for publication, removing the scope for further human error. I have also instructed the Government Digital Service to improve their processes to ensure all access to data can be removed much more rapidly when required.
The Department reported the matter to the Information Commissioner on Saturday 28 December 2019 and will co-operate fully with its on-going inquiries. In addition, I am announcing today an independent review of data handling practices within the Cabinet Office. This review will focus on process, culture, policy and practice within the Department. It will establish whether appropriate controls are in place around the storage, sharing and deletion of personal data, including learning lessons from this case. More information on this review will be published shortly.