THE government could be hit with a compensation bill for breaching data rules after they published the addresses of honours winners.
A probe had been launched over how the addresses ended up online as Iain Duncan Smith, who was knighted in the latest honours list, described the alleged data breach as a “complete disaster”.
There have also been calls for an inquiry into the leak, which is being investigated by the Information Commissioner’s Office (ICO).
Sir Iain said: “Ministers need to be asking some very serious questions of those involved about how this was allowed to happen and why no final checks were carried out before the document was published.”
“Everybody knows virtually everything about me. It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published.”
The list also included senior diplomats, counter-terror police and figures from the military. Lawyers warned last night that the compensation bill could run into the millions.
Sean Humber, a data breach specialist at law firm Leigh Day, said: “Those individuals on the list affected by the data breach are likely to have claims for compensation for unauthorised disclosure of their personal information, including for any anxiety or distress suffered, as well as the costs for any reasonable action they now feel they need to take as a result of the blunder.”
Mark Stephens, media and privacy expert at law firm Howard Kennedy, said: “This is an unforgivable breach of data protection. The people adversely affected would be entitled to make a joint claim for compensation in the High Court.”
Silkie Carlo, director of privacy campaign group Big Brother Watch, said it was “extremely worrying to see that the Government doesn’t have a basic grip on data protection”, adding: “It’s a farcical and inexcusable mistake, especially given the new Data Protection Act passed by the Government last year – it clearly can’t stick by its rules.”
Lord Kerslake, who was head of the civil service between 2012 and 2014, said an “urgent investigation” was needed.
He said: “It is a serious and indeed extraordinary breach because this is a well-established process that has gone on in pretty much the same way for years, so I think an urgent investigation is certainly needed.”
“Of course, it’s likely to be human error, as has been suggested, but we need to know how well staff were trained about the importance of maintaining security. Were they briefed on the potential consequences if this information was released?”
The introduction of General Data Protection Regulation (GDPR) rules in May 2018 increased the penalties regulators such as the ICO are able to introduce.
It means breaches can result in the ICO issuing penalties equivalent of up to 4 per cent of annual global turnover or £17million – whichever is greater.
Previously, the largest penalty the ICO meted out was to Facebook when it was fined £500,000 – the maximum allowed at the time – for failing to protect users’ personal data.
But in July, the ICO announced its intention to fine British Airways £183million for its own data breach, which will become the largest penalty ever issued by the regulator once the process is completed.