The Post Office has avoided a fine over a data breach that resulted in the mistaken online publication of the names and addresses of more than 500 post office operators it had been pursuing during the Horizon IT scandal.
The Information Commissioner’s Office (ICO) has reprimanded the Post Office over the breach which saw the company’s press office accidentally publish an unredacted version of a legal settlement document with the operators on its website.
The ICO said the data breach in June last year involving the release of names, home addresses and operator status of 502 out of the 555 people involved in the successful litigation action against the Post Office led by Sir Alan Bates had been “entirely preventable”.
“The people affected by this breach had already endured significant hardship and distress as a result of the IT scandal,” said Sally Anne Poole, the head of investigations at the ICO.
“They deserved much better than this. The postmasters have once again been let down by the Post Office. This data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.”
The ICO said its investigation had found that the Post Office failed to implement appropriate “technical and organisational measures” to protect people’s information.
The data watchdog highlighted a lack of documented policies or quality assurance for publishing documents online, as well as “insufficient” staff training with “no specific guidance on information sensitivity or publishing practices”.
The ICO said it had initially considered imposing a fine of up to £1.09m but decided that the data breach did not reach the threshold of “egregious” under its approach to fining public-sector companies.
The Open Rights Group (ORG), a campaigning organisation, said the ICO’s determination that the data breach was not egregious was “ludicrous”.
“This reprimand is a go-ahead for public organisations in the UK to keep inflicting harm, knowing that the ICO will let them off the hook,” said Mariano delli Santi, a legal and policy officer at the ORG. “As reprimands lack the force of law, the Post Office can rest assured that they will not face consequences if they fail to address their shortcomings.”
Last June, the Post Office apologised for the data breach with Nick Read, then the chief executive, saying the leak was “a truly terrible error”.
after newsletter promotion
The former post office operator Christopher Head tweeted the text of a letter he had written to Read and Nigel Railton, the chair of the Post Office, in which he said that many of his colleagues “hadn’t shared details with their own families” at the time.
The Post Office settled the civil claim brought by 555 claimants for £57.75m over the wrongful prosecutions on faulty Horizon evidence – amounting to £12m after legal costs – without admitting liability, in December 2019.
Last May, hundreds of post office operators convicted on charges including false accounting, theft and fraud were exonerated by an unprecedented act of parliament.