Information Commissioner’s Office takes official action against public corporation, after concluding that the organisation failed to implement key measures that could have averted incident in which sensitive data was released
The Post Office has been hit with a formal reprimand following an “entirely preventable” data breach in which personal details of victims of the Horizon scandal were published openly online for almost two months.
In April 2024, representatives of the Post Office erroneously released an unredacted version of a document relating to a legal settlement with Horizon victims, according to the Information Commissioner’s Office. Included in the online publication were the names, home addresses and professional details of 502 postmasters engaged in a group litigation process.
The document remained publicly accessible from 25 April to 19 June and was only taken down after the Post Office was alerted to the data breach by an external law firm.
The ICO’s investigation of the incident found that the Post Office had “failed to implement appropriate technical and organisational measures to protect people’s information”.
Such absent measures include a lack of clear policies and established processes for publishing potentially sensitive information. This was compounded by “insufficient staff training”, according to the regulator.
In light of these failings, and accepting the claims that the breach caused “stress and anxiety” to those affected, the ICO has hit the Post Office with a formal public reprimand.
The data watchdog added that, despite its policy of typically eschewing financial penalties for public-sector bodies, it had considered imposing a fine of nearly £1.1m. However, it was concluded that the incident had not passed the threshold of being considered “egregious”.
Sall Anne Poole, the ICO’s head of investigations, said: “The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this. The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.”
She added: “Other organisations should take notice of this reprimand and apply its learnings, so they don’t find themselves making the same mistake. Data protection by design must be embedded into everyday operations so people’s information is handled appropriately.”
According to the ICO, the major lessons that can be learned from the breach include that organisations should ensure to “understand the data you handle” and support this understanding with the establishment of “clear publication protocols”.
Companies and public bodies should also make sure to “centralise and classify documents… define roles and responsibilities… [and] tailor training to the task”, the regulator added.
Those wishing to find out more were pointed towards the watchdog’s data protection audit framework.