‘Serious risk’ of personal data leaks to add to honours blunder
A GOVERNMENT department that leaked details of the New Year Honours list is at “significant risk” of making bigger personal data breaches, a review has found.
The Cabinet Office was forced to apologise after the home addresses of celebrities, military figures and elderly people named in the 2020 list were inadvertently posted online.
Counterterrorism officers, politicians and celebrities, including Sir Elton John and the former Tory leader Sir Iain Duncan Smith, were among more than 1,000 recipients who had their home addresses revealed in the breach.
A total of 1,097 people were awarded honours, and it is understood that most of the entries on the spreadsheet included full addresses with house numbers and postcodes.
Adrian Joseph, who conducted the review “Building trust in digital government: a review of personal data handling in the Cabinet Office”, which looked at the department’s handling of personal data, found such breaches were “too easily assigned to human error”.
He concluded that a “greater consistency of process, controls and culture” could have “reduced the risk systemically”.
“There is a significant risk that further and more impactful breaches will occur as the amount of personal data being handled by the department increases,” Mr Joseph said in his executive summary.
The Cabinet Office has amassed more than 200 million emails, documents and other digital files since it first began storing such information 20 years ago. This is expected to increase by more than 50million records a year, although not all will be personal data.
Mr Joseph recommended a new data strategy be adopted and that staff undergo refreshed training.
While there were good examples of processes and controls, the report found an “inconsistent application and lack of monitoring” limited the ability to protect against and respond to data breaches.
Google Drive is the standard platform for all “Official” and “Official-sensitive” information within the department, which can include research, policy submissions and HR data, the report explained.
On the New Year Honours breach, the review said the offending details were online and accessible for “approximately 40 minutes” before the error was identified and the link removed.
It added: “The document was still available to those who knew the specific URL address for a further 150 minutes.”
The report said the Cabinet Office identified two main factors that contributed to the breach, including the introduction of a new IT software package and a “lack of clarity” about the sign-off processes for the final version of the online documents.
Sir John Manzoni, permanent Secretary for the Cabinet Office, said in response to the review that, while the ease and speed of sharing personal data “allows us to make better decisions”, there were also “some risks that we need to mitigate against. Across the Cabinet Office, we need to continue to handle personal data in ways that are appropriate, secure and protect privacy.”
Sir John said “some steps” have already been taken to improve the understanding of how personal data should be handled across the department.