A tale of two fines…lessons from the ICO actions against the Cabinet Office and Clearview AI

Uh oh. That field was supposed to be deleted, not just hidden…. It is a very easy mistake to make particularly when a number of people are working in the same spreadsheet, against a deadline and using a new IT system. However, this error happened in relation to the Cabinet Office’s upload of the 2020 New Year’s Honours recipient list. The ‘supposedly’ deleted field contained the postal addresses of more than a thousand people, including those with a high public profile, receiving New Year’s honours. The spreadsheet was uploaded to the GOV.UK website and became publicly available for over 2 hours late at night and was accessed over 3,872 times. 

The data breach by the Cabinet Office is the subject of the ICO’s latest fine of £500,000. Interestingly the ICO maintained that the Cabinet Office’s spending/budget was not “used in any sort of mechanistic fashion to determine the penalty amount”, perhaps suggesting a shift away from turnover being an automatic starting point for fines. Indeed, although involving different types of organisations, this latest action echoes the recent ICO penalties against the charities HIV Scotland (discussed in our Data Privacy Newsletter) and Mermaids (discussed in our previous post). In each case the potential impact of the breach on data subjects was significant and in all three actions, it was basic security failings compounded by human error that caused the issue. 

In addition to reemphasising that organisations need to ensure they get the basics of their data security correct, there are a couple of useful insights from this action in particular:

KYD (Know your data)

• The ICO maintains the Cabinet Office should have provided a high standard of organisational and technical measures in relation to the important activity it was undertaking and in light of the high profile and vulnerable individuals on the Honours List. Controllers must put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. To be able to do this, they need to have a proper understanding of the categories of personal data they hold and the risk that processing it poses to those individuals.

High priority

• In this instance, the Cabinet Office staff were aware of the problem with the new IT system that produced the erroneous spreadsheet with the additional postal-address field, but because of the urgency of the Honours List they chose to “amend the output, as opposed to the report build itself” which facilitated the breach. This emphasises how accountability and privacy culture is critical in ensuring organisations’ data security measures succeed: data privacy must be properly prioritised commensurate the sensitivity and risk associated with the data (and safeguards built in to help individuals working at pace under pressure and with competing demands). 

Also this week, the ICO has not only published its provisional ‘view to fine’ Clearview AI Inc over £17 million but also ordered the tech-firm to cease processing the data of UK individuals. This action relates to the processing of UK data subjects as part of the allegedly 10 billion image database the company holds and which enables subscribers to “face search” against using biometric and facial recognition searches. The ICO’s announcement follows a joint investigation by the ICO and the Office of the Australian Information Commissioner, showing the ICO is looking outwards and forging new alliances in this post-Brexit era. 

The ICO’s public statement outlines a raft of suspected failings by Clearview spanning the most fundamental principles of the GDPR, including a lack of lawful basis for processing and transparency failings; a failure to meet the higher standards for special category data and data retention failings. Notably, this action shows the ICO doing more than just using fines to ensure effective action, particularly in situations that affect a very large number of individuals. The ICO is perhaps also showing us that as the sole regulator for the UK GDPR it is prepared, like its EU contemporaries with the EU GDPR, to take on the long-term, high-profile and cross-border investigations as we have seen in relation to WhatsApp and Amazon in the EU. Certainly it’s consistent with the trend from data privacy regulators in the UK and the EU towards robust enforcement of organisations that process data unlawfully for commercial ends.