The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited after it committed an “entirely preventable” data breach that resulted in the unauthorised disclosure of Horizin victims’ personal information.
The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.
When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. It also found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices.
Sally Anne Poole, ICO Head of Investigations, said:
“The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this.
“The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.
“Other organisations should take notice of this reprimand and apply its learnings, so they don’t find themselves making the same mistake. Data protection by design must be embedded into everyday operations so people’s information is handled appropriately.”
The ICO had initially considered imposing a fine of up to £1.094m. However, the ICO did not consider that the data protection infringements identified reached the threshold of ‘egregious’ under its public sector approach, and a reprimand has been issued instead.
The ICO’s public sector approach focuses on raising data protection standards across the UK public sector. It prioritises early engagement and other enforcement tools such as warnings, reprimands, and enforcement notices, while issuing fines for only the most egregious breaches in the public sector.
Following the breach, the Post Office took a number of steps to mitigate the impact on affected people, including:
- Offering compensation to all people named on the deed and affected by the publication, with payments made to the majority.
- Providing identity protection services, including 24 months of fraud monitoring and dark web surveillance.
- Contacting search engines and archives to remove cached versions of the document.
- Establishing an emergency working group to review the incident and improve internal controls.
- Creating a new documented policy for publishing information on its corporate website.
