A Government department admonished for leaking honours list details is at “significant risk” of making further and bigger personal data breaches, a review has found.

The Cabinet Office apologised after the home addresses of celebrities, military figures and elderly people named in the 2020 New Year Honours list were inadvertently posted online.

Adrian Joseph, conducting a review of the department’s handling of personal data, found such breaches are “too easily assigned to human error” where a “greater consistency of process, controls and culture” could have “reduced the risk systemically”.

He added in his executive summary: “There is a significant risk that further and more impactful breaches will occur as the amount of personal data being handled by the department increases.”

The front page of the review into the Cabinet Office (PA)

Mr Joseph added recommendations in his review, including confirmation of a new data strategy and refreshed training, sought to offer protection in the system when it comes to dealing with personal data.

Mr Joseph, whose position is listed as managing director, group AI and data solutions at BT, observed good examples of processes and controls exist.

But he said “inconsistent application and lack of monitoring” limited the ability to protect against and respond to data breaches.

The Cabinet Office has amassed more than 200 million emails, documents and other digital files since it first began storing such information 20 years ago, the report noted.

It also said this is expected to increase by more than 50 million records a year, adding not all of it will contain personal data but these figures would also be expected to increase.

Data the department handles includes HR responsibilities for almost 8,000 employees and, from April 2020, security vetting.

An extract from the data review at the Cabinet Office (PA)

This involves processing personal data, including on relationships, financial affairs and political beliefs, on a “significant portion” of the 250,000 people subjected to it.

Google Drive is the standard platform for all “Official” and “Official-Sensitive” information within the department, which can include research, policy submissions and HR data, the report explained.

Teams seek to limit access to data to specific individuals although the report said such measures are “are often imposed too late and there are examples of personal data being accessible to whole teams”.

The review went on to state: “Growing volumes of orphaned data and ‘digital hoarding’ leave the department vulnerable to further breaches and weakens its ability to comply with FOI (Freedom of Information) and public records requests.”

On the New Year Honours breach, the review said the offending details were online and accessible for “approximately 40 minutes” before the error was identified and the link removed.

It added: “The document was still available to those who knew the specific URL address for a further 150 minutes.”

The report said the Cabinet Office identified two main factors which contributed to the breach, including the introduction of a new IT software package and a “lack of clarity” about the sign-off processes for the final version of the online documents.

Civil Service Awards – Buckingham Palace
The Queen and the Duke of Edinburgh meet John Manzoni, chief executive of the Civil Service (Anthony Devlin/PA)

Sir John Manzoni, permanent Secretary for the Cabinet Office, said in response to the review: “Sharing personal data more quickly and more easily allows us to make better decisions about the services we offer and how we offer them.

“But doing so brings some risks that we need to mitigate against.

“Across the Cabinet Office, we need to continue to handle personal data in ways that are appropriate, secure and protect privacy. Getting that right is not always easy, but it is vital to maintaining public trust.

“Adrian has set out in this review some very sensible recommendations about how we can
balance making better use of personal data with more robust safeguards.”

Sir John said “some steps” have already been taken to improve the understanding of how personal data should be handled across the department.