There’s never a good time to accidentally publish a huge batch of personal data online, but the interregnum between Christmas and New Year, when nothing happens and most people are bored is a particularly unfortunate moment to choose. The Cabinet Office’s foul-up in publishing the home addresses of the thousand or so people in receipt of a gong as part of the New Year’s Honours was particularly ill-timed, but given the diverse nature of those affected, it’s hard to imagine that there would ever be a time where it wouldn’t hit the headlines. The location of Elton John’s mansion is probably not a secret, but many honours recipients are not celebrities, and some might be put at risk by their addresses being known.
In many ways, the story is familiar. The Cabinet Office say it’s an accident, the BBC dig up a Data Protection ‘expert’ I’ve never heard of to say nothing in particular about it, and everyone on LinkedIn has made their mind up. But there is one interesting aspect that recent changes to legislation has significantly altered. One of the other people enjoying a moment in the spotlight was the CEO of a software company. He downloaded the spreadsheet on Friday night, and regaled Radio 4’s PM programme with the details of the diligent research he had done into the homes of some of the people on the list.
The GDPR does not apply to the data processing activities of “a natural person in the course of a purely personal or household activity“, but the Data Protection Act 2018 (like its predecessor the DPA 1998) works differently, and significantly differently for situations like this. Section 170 makes it an offence for a person knowingly or recklessly to “obtain or disclose personal data without the consent of the controller“, to procure such an unauthorised disclosure and finally “after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained“. The obtaining, procuring and disclosing elements were there before, but the offence of retaining data is new. A legal entity could clearly be charged with any of these offences, but the majority of prosecutions (mounted unusually by the ICO rather than the CPS) for the old S55 and the new S170 offences are individuals.
And here’s the punchline. It’s quite possible that the Cabinet Office’s procedures and controls are flawed, or their training is deficient (or both). In such circumstances, the organisation would have infringed the GDPR and potentially face a fine as a result. Given the Information Commissioner’s obsession with headlines and over-reaction to high profile events, I suspect a fine in this case is quite possible. It’s also possible that everything inside the Cabinet Office is absolutely mint and this is just a monumental cock-up. I don’t know, and I’m prepared to wait and see what the ICO finds out when they investigate. I might relentlessly take the piss out of the Commissioner’s Office, but one of the things I’m happy to acknowledge that they’re good at is getting to the bottom of security incidents and why they happened.
However, none of that makes any difference to anyone who accesses the honours spreadsheet. An organisation may significantly infringe GDPR and breach confidentiality by sending personal data to the wrong place or making it available online, but that does not give a free hand to the recipient. Anyone who innocently accessed the spreadsheet cannot be held responsible for the fact that they are now aware of personal data to which they were not entitled, but the moment you download the data, there’s an argument that you have obtained it without the consent of the data controller. Sometimes this might not be obvious, but in this case, there can be no doubt that the Cabinet Office did not intend for the data to be disclosed, and so anyone accessing it is doing so without the controller’s consent.
Of course, you might not have realised what you were downloading, so you’re almost certainly not acting knowingly or recklessly at that point. However, it’s probably a safe assumption that in the hour or so that the spreadsheet was available, it was downloaded multiple times. So what of the people who still have a copy? Nobody can be in any doubt about the fact that it was published by mistake, so its continued retention is without the Cabinet Office’s consent.
It would be a bold claim to accuse everyone who still has a copy of committing a criminal offence, but under the 1998 Act, it would be impossible to do so. I’ve been directly involved in multiple incidents where a controller mistakenly sent data to the wrong person and had huge difficulties in recovering the data or securing its destruction. The person hadn’t deliberately stolen a copy of the data or sought to access it, so what do you do if they refuse to hand it back or delete it? Those with long memories might remember the huge bill racked up by Belfast City Council in their ultimately successful attempt to prevent the misuse of data about elected members that they inadvertently sent to a woman in England. The new offence changes the rules. Merely possessing the data is potentially an offence, and I think this should give pause for thought to anyone who still has a copy.
There are some defences that a person can mount – you can argue that retention is necessary to prevent or detect crime, is legally authorised or because of the particular circumstances, is in the public interest. For example, if you retained data because you wanted to blow the whistle or report it to the Information Commissioner, especially if the controller wasn’t going to and you thought they should, I would guess that this would be a solid defence against prosecution. But in this case, it’s clear that the Cabinet Office has already notified the Commissioner, the nature of the compromised data is not in doubt, and it’s difficult to see what public interest there would be in keeping the personal data of innocent people, however badly the Cabinet Office may turn out to have handled it.
There have been, as far as I know, no prosecutions for the retaining offence so far – the only action has been a rather insipid press release from the ICO about a case that they might have been able to prosecute under the new legislation. It’s entirely possible, even likely, that the ICO won’t seek to criminalise people solely for having data in their possession unless they do something nefarious with it or refuse to get rid of it when asked to. Nevertheless, if you have a copy of the honours data on your laptop right now, my very strong advice as your friend and unappointed DPO is to delete it forthwith, and await the outcome of the ICO’s investigation sometime in 2021.