Lasting Powers of Attorney (LPAs) are documents whereby a donor (the person making the LPAs) gives authority to an attorney or attorneys to act on their behalf. There are two types of LPA: Property and Financial, and Health and Welfare. ...
The Information Commissioner's Office (ICO) has issued a reprimand to the Post Office following a data breach in which it published the personal data of postmasters involved in group litigation relating to the Horizon IT scandal.
In April 2024, it was discovered that a link to a legal settlement document on the Post Office's website was broken. An employee sent a colleague a copy of the document so that it could be reuploaded. Instead of the redacted version of the document, however, the employee sent the unredacted version, containing personal data relating to 502 individuals involved in litigation against the Post Office that brought the Horizon IT scandal to light. The unredacted version was available on the website from 25 April until 19 June.
On being alerted to the problem, the Post Office removed the document from the website and reported the incident to the ICO. It also took a number of steps to mitigate the impact on the affected individuals, including informing them or their legal representatives, offering compensation and taking steps to remove other copies of the data from the internet.
The ICO's investigation found that there were no documented policies or procedures in place for preparing the document to be published on the website. The employee with the ability to upload documents to the Horizon webpage would receive documents from colleagues. No checks were conducted before uploading documents, as the employee responsible for uploading was under the impression that such checks had already been performed.
Given the context of the Horizon IT scandal and the fact that the document contained names, addresses and financial settlement details, making individuals potentially vulnerable to fraud, burglary and targeted scams, a high level of security was appropriate to the risk presented by preparing the document for publication. The ICO found that the Post Office had breached Articles 5(1)(f) and 32(1) of the UK General Data Protection Regulation (GDPR) as there was sufficient evidence to demonstrate that, despite the known risks to the rights and freedoms of the individuals, the Post Office had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to those risks. The ICO also concluded that the Post Office had not adequately assessed the information risk it faced or how valuable, sensitive or confidential the information it held was, as required by Article 32(2) of the GDPR.
Since 2022, the ICO has adopted a revised approach to public sector enforcement, in which it has committed to working proactively with senior leaders to encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong. In practice, this means that the ICO has also committed to increasing the use of reprimands and enforcement notices, only issuing monetary penalties in the most egregious cases. Had this approach not been in place, the ICO considered that a monetary penalty of up to £1,094,000 would have been deemed appropriate.