ICO reprimands Post Office over Horizon IT scandal data breach involving unredacted legal settlement document

The ICO said it had initially considered imposing a fine of up to £1.094 million over the breach, but it did not consider that the infringements identified reached the threshold of ‘egregious’ under its public sector approach.  

According to the Commissioner, the breach occurred when the Post Office’s communications team “mistakenly published” an unredacted version of a legal settlement document on its corporate website.

The document contained the names, home addresses and postmaster status of 502 people who were part of group litigation against the organisation.

It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement “appropriate technical and organisational measures” to protect people’s information.

The watchdog said: “We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices.”

Following the breach, the Post Office took a number of steps to mitigate the impact on affected people, including: 

• offering compensation to all people named on the deed and affected by the publication, with payments made to the majority
• providing identity protection services, including 24 months of fraud monitoring and dark web surveillance
• contacting search engines and archives to remove cached versions of the document
• establishing an emergency working group to review the incident and improve internal controls, and
• creating a new documented policy for publishing information on its corporate website. 

However, the ICO considered that the Post Office’s acknowledgement of the infringements, the remedial measures implemented, the steps taken to mitigate damage to data subjects, and the compensation paid to the majority of data subjects in respect of the incident did not “outweigh the seriousness of the infringements”.

Accordingly, the Commissioner decided it would be appropriate to issue a reprimand to the Post Office in relation to the infringements of Articles 5(1)(f) and 32 UK GDPR.

The ICO rejected an assertion by the Post Office that the inclusion of the monetary penalty figure was contrary to the Commissioner’s Data Protection Fining Guidance.

The Post Office had submitted that the Commissioner had not followed the fining guidance as he had calculated the fine amount despite not deciding to issue a penalty notice.

The ICO said in the reprimand: “The Commissioner wishes to clarify that his Fining Guidance exists alongside his public sector approach. The Commissioner clearly and publicly explained at the outset of the public sector approach that he would share the value of the fine that would have otherwise been imposed. The Commissioner’s open letter to public authorities in 2022 stated: 'We will also do more to publicise these cases, sharing the value of the fine that would have been levied, so there is wider learning'.

“This approach necessarily involves calculating the amount of the fine that would have been levied, using the Fining Guidance. This approach is entirely consistent with the Commissioner’s broader focus of raising data protection standards across the public sector and prioritising other enforcement tools, including reprimands.”

The reprimand reveals that the Post Office also made representations disputing the Commissioner’s inclusion of the monetary penalty amount that would have been deemed appropriate in the reprimand.

It said: “The Post Office submitted that it was not appropriate to include the proposed amount of any monetary penalty when the Post Office had not had the opportunity to make representations on it and the amount would necessarily change between NOI [notice of intention] and final decision in any case.”

However, the Commissioner was satisfied that it was reasonable to include the value of the fine that could have been imposed, but for the public sector approach, repeating that this approach “is clearly set out in the Commissioner’s open letter to public authorities in 2022”.

The reprimand added: “The Commissioner notes that the Post Office has had the chance to make representations on the reprimand and given the penalty will not be imposed due to the public sector approach considers that further detailed representations on the penalty calculation are not required.”

The ICO did, however, acknowledge in the reprimand that the £1.094 million monetary penalty amount did not reflect any additional discount that may have been applied including in response to representations that the Post Office could have made on the proposed penalty amount, had the public sector approach not been in place.

The Commissioner meanwhile rejected the Post Office’s submissions that issuing a reprimand in this case would be inconsistent with action taken in other public sector breach cases.

Commenting more widely, the ICO observed: “This incident highlights the critical role everyone in an organisation plays in safeguarding personal information. The breach was not caused by malicious intent, but by a failure to follow basic data protection principles and to have the correct procedures in place.”

In light of its findings, the watchdog highlighted the following key lessons for organisations across all sectors:

• Establish clear publication protocols: “Sensitive documents should go through a formal review and approval process before being published online. A multi-step sign-off process can help prevent errors.”
• Understand the data you handle: “Every team, especially those handling public-facing content, must be trained to recognise personal information and assess its sensitivity in context. This includes understanding the reputational and emotional impact of disclosure.”
• Centralise and classify documents: “Use secure, shared repositories with clear access controls and classification labels. Avoid reliance on personal storage systems such as OneDrive and Google Drive.”
• Define roles and responsibilities: “Ensure that everyone involved in publishing content understands their role and the checks required before publication.”
• Tailor training to the task: “General data protection training is not enough. Teams need specific guidance on publishing protocols, data classification, and risk awareness.”

Sally Anne Poole, ICO Head of Investigations said: “The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this. 

“The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place. 

“Other organisations should take notice of this reprimand and apply its learnings, so they don’t find themselves making the same mistake. Data protection by design must be embedded into everyday operations so people’s information is handled appropriately.”

A Post Office spokesperson said: "We would like to offer our sincere apologies to those who were affected by this data breach. We deeply regret the impact of the breach on them and understand that it is in addition to their experiences as part of the Group Litigation in the Horizon IT Scandal. Compensation payments have been made to the majority of those affected by this error, which saw the mistaken publication of a document on our website, and we are working through the outstanding offers on a case-by-case basis.

 “We have since worked to identify and address where improvements should be made in our processes and controls. These measures have now been implemented and recognised by the Information Commissioner’s Office.”

Lottie Winson