ICO issues reprimand to the Post Office Horizon IT scandal data breach

The Information Commissioner's Office (ICO) has issued a formal reprimand to Post Office Limited following a personal data breach that exposed the personal information of hundreds of postmasters involved in the Horizon IT scandal. Although the ICO initially considered imposing a fine of up to £1.094 million, it decided the infringement did not meet the "egregious" threshold required under its public sector approach.

The breach occurred when the Post Office's communications team mistakenly published an unredacted legal settlement document on its corporate website between 25 April and 19 June 2024. The document contained the names, home addresses, and postmaster status of 502 individuals who were part of a group litigation against the organisation.

The ICO's investigation found that the Post Office failed to implement appropriate technical and organisational measures, citing a lack of documented policies or quality assurance processes for publishing documents, and insufficient staff training. Following the breach, the Post Office offered compensation, provided identity protection services, and established a new documented publishing policy and emergency working group to improve internal controls.

In a statement responding to the news, Mariano delli Santi, Legal and Policy Officer at Open Rights Group, said: "The ICO assessment that the Post Office data breach would not qualify as "egregious" is ludicrous. The Horizon scandal was a human tragedy where thousands of innocent people faced unjust convictions, imprisonments and bankruptcies, leading at least thirteen people to commit suicide. The Post Office failure to protect the identities of these victims adds insult to that injury.

"This reprimand is a go ahead for public organisations in the UK to keep inflicting harm, knowing that the ICO will leave them off the hook. As reprimands lack the force of law, the Post Office can rest assured that they will not face consequences if they fail to address their shortcomings, and another data breach happens in the future. The ICO should have, at the bare minimum, issued an enforcement notice that legally binds the Post Office to take action.

"The behaviour of the ICO is unacceptable, and an insult to the human cost that victims of the Horizon scandal have suffered. We reiterate our call to the Select Committee for Science, Innovation and Technology to open an inquiry into the Information Commissioner's Office."

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.