The online publication of the addresses of more than 1,000 New Year Honours recipients was a “complete disaster”, a former cabinet minister has said.
Ex-Tory leader Iain Duncan Smith, who was knighted, told the Sunday Times ministers needed to ask “very serious questions” about how it had happened.
Those affected included senior police officers and politicians as well as celebrities such as Sir Elton John.
The Cabinet Office has apologised and says it is investigating.
The list of 1,097 honours recipients – including high-profile names such as cricketer Ben Stokes, TV cook Nadiya Hussain and former director of public prosecutions Alison Saunders – was uploaded to an official website on Friday evening and removed on Saturday.
Most of the entries in the spreadsheet included full addresses – including house numbers and postcodes. The Cabinet Office said the document was visible for around an hour.
Sir Iain told the Sunday Times: “Ministers need to be asking some very serious questions of those involved about how this was allowed to happen and why no final checks were carried out before the document was published.”
He said most of his details were already in the public domain, but added: “It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published.”
Taekwondo world champion Jade Jones, who became an OBE, told BBC News on Saturday evening that she had not been contacted about the breach.
“Obviously mistakes can be made and I know it is dangerous people’s addresses getting out but, you know, I’m sure they didn’t do it on purpose.
Asked whether she found the leak concerning, she replied: “It is scary but it’s a good job I do taekwondo.”
The data breach was described as “farcical and inexcusable” by privacy campaign group Big Brother Watch.
The organisation’s director, Silkie Carlo, said: “It’s extremely worrying to see that the government doesn’t have a basic grip on data protection, and that people receiving some of the highest honours have been put at risk because of this.
“It’s a farcical and inexcusable mistake, especially given the new Data Protection Act passed by the government last year. It clearly can’t stick by its rules.”
A government spokesman said: “A version of the New Year Honours 2020 list was published in error which contained recipients’ addresses.
“The information was removed as soon as possible.
“We have reported the matter to the ICO [Information Commissioner’s Office] and are contacting all those affected directly.”
The ICO, which has the power to fine organisations for data breaches, said it would be “making enquiries”.
‘Much depends on the attitude of those affected’
There is no doubt that this is a serious data breach and the government, of all organisations, should be better acquainted with the law on disclosing sensitive personal information.
But while some of the celebrities and the police officers awarded honours may be concerned about their privacy and security, it would have been far more serious if the home addresses of those on the list of gallantry awards had been leaked.
The Information Commissioner’s Office has so far only levied one fine under the new Data Protection Act which came into effect in 2018 – a London pharmacy was fined £275,000 for careless storage of the very sensitive medical data of half a million people.
Lawyers who specialise in data protection think the ICO will see this as a less serious case of human error and may let the Cabinet Office escape with a warning about improving its practices.
But they say much now depends on the attitude of those who have seen their data leaked – they could decide to bring civil claims against the government for putting in the public domain information many of them have been determined to keep private.
Data rights lawyer Ravi Naik said the government could face legal action from those whose addresses were published, as well as from the ICO.
He also warned that anyone who came across the information should tell the ICO and not pass it onto others – because they themselves might face legal action.
Simon Winch, a sustainability professional from London, was among those who were able to access the sensitive information.
He told the BBC: “I clicked on the link on the gov.uk website at around 11pm on Friday and the spreadsheet opened up.
“At first I thought everyone on the list had given their permission to publish their personal addresses. But then I saw that some quite sensitive names were on there.”