News & InfoEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally publishing the postal addresses of 2020 New Year Honors recipients online. 
July 9, 2022
Cabinet Office fined for disclosing addresses

This decision comes hot on the heels of other ICO penalty decisions, including its recent decisions to fine two charities £10,000 and £25,000 for breaching the UK GDPR. As this latest decision concerns the data of high-profile individuals, there are a number of takeaways for production companies.

What happened?

In December 2019 the Cabinet Office accidentally published on GOV.UK a CSV file containing the names and postal addresses of more than 1,000 people included on the New Year Honours list. The list included individuals from a wide range of professions, including high-profile individuals.

A member of the Government Communications Team came across the breach “by chance” and alerted the Cabinet Office Press Team. The file was permanently deleted from the website two hours and 21 minutes after it was published. Before its deletion, it was accessed 3,872 times from 2,798 IP addresses.

The Cabinet Office reported the breach to the ICO within 72 hours of discovering it.

The decision

Following an investigation, the ICO found that the Cabinet Office had breached Article 32(1) of the UK GDPR because it had failed to put in place appropriate technical and organisational measures which reflected the risk associated with the processing of the data.

The ICO initially issued the Cabinet Office with a notice of intent to impose a penalty of £600,000. However, the Cabinet Office contested the fine and the ICO subsequently reduced it to £500,000.

Despite the reduction, this is still a heavy fine. Among other things, the ICO based its decision on the following factors: 

  • Although the file wasn’t online for very long, the publication of the list was a high-profile event and the list was accessed nearly 4,000 times. 
  • Although the information constituted basic identifying information and not sensitive data, it concerned a large number of individuals, including high-profile individuals. 
  • While documents regarding best practice for handling data had been accessible to employees on the Cabinet Office’s intranet, these were not regularly updated or promoted. 
  • While the Cabinet Office had implemented mandatory data protection training before the incident, not all employees who were involved in the processing of personal data had received training in the past two years.
  • The Cabinet Office had also identified that there were issues with access restrictions often being imposed “too late,” resulting in some personal data being accessible to entire teams.
  • The data breach could easily have been avoided, but the Cabinet Office had failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. 

Key takeaways for production

This decision has a number of key takeaways for production companies and their teams: 

  • As the ICO is continuing to crack down on organisations which don’t have sufficient safeguards in place to protect people’s data, it’s essential to have adequate security measures in place. (Not sure where to start? See how the Production Portal can help you to protect your data.)
  • Personal information pertaining to high-profile individuals poses a particular risk. This includes basic contact information, such as addresses and phone numbers (swapping paper documents (eg, start forms, contracts and call lists) for digital versions can help to mitigate this risk).
  • It’s important to have appropriate data protection policies in place and a means to update and promote these through ongoing trainings. It’s also important to have a clear audit trail of who’s read and agreed to your policies.
  • Access to personal data should be restricted to those who need it and updated as soon as crew change roles.

For more information on how to secure your production data, check out our guide to information security.

Topic: UK

Related Content

Blue graphic with map of UK and title ICO penalty following ransomware attack

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK...
Topic: UK

UK GDPR Compliance for Productions: Q&A with Sheridans

Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK...
Topic: UK

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK
Blue graphic with map of UK and title ICO fines charity for GDPR breach

ICO Fines Charity £10,000 for UK GDPR Breach

According to the ICO, the charity failed to apply appropriate organizational and technical security...
Topic: UK

Contracting in a COVID-19 World  

The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...

Terms to Include in UK Crew Contracts

Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal

Six Elements for Enforceable UK Crew Contracts

Although parties to a crew contract can largely enter into whatever terms they choose, certain elements...
Topic: UK
recycling conversation

Sustainability in Production: Q&A with Nikki Saunders

Nikki Saunders on sustainable filming practices, COVID-19, and why carbon offsetting isn’t a...
International Film Financing panel-featured

Film Financing Explained: International Financing

International production experts discuss how producers can utilize financing systems outside of the US,...
Crew contracting in the UK-panel

Quick and Compliant Crew Contracting in the UK

Neisha Glynternick and Sarmad Saleh from UK-based entertainment law firm Sheridans discuss crew...
Topic: Legal

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2022 Entertainment Partners. All rights reserved.